Академический Документы
Профессиональный Документы
Культура Документы
Software Architecture-W - Free08 PDF
Software Architecture-W - Free08 PDF
������������
��������
����������
�����������
��������������
�����������
����������
�����������
��������������
�����������
�������
������������ ��������������������������� �������� �� ��� ������������������
��� ���������� �� ���� ���������� ����� ��� ������� ��� ������ ������� ��
��� ���� �������� �� ������������ ��������� ���� ��������� �� ���������
������������ ���� ������� ����� ��������� �� ��������� ����� �������� ��� ��
������ ������� �� ������ ��������� �� ��� �� ������ ��������� ��������
������� ��� ����������� �������� ��� ����� ��� �������� �� ����� ��� ��
����� �������� �������� ��� ������������ �� ��� ������� �����������
����������������������� �������������� �������������������������������
�������������������������������������������������������������
�����������������������
��� ����� ���������� �������� ����� ��� � ������ ����������� ����� �������
������������ ���������� ��� ������� ����������� �� ���� �� ����������� ��� ��
������������ ������� ��� ����� �� ������������������ ��� ����� ���� ���������
�������������������������������
�����������������������
��� �������� ����� ��� ������ ������� ����� ���������� ����� �������
������� ����� ����� �������������� ��������� ���� ������ �� ����� ��� ���
���������� ������ �� �������� ���� ���� ������ ����������� �������� ������
������ ������ ��� ��� ��� ������� ������� ��� ��� ��������� �� ��������
���� ���� ���� �������� �������������� �������� �������� ��� ��� ���
�����������������������������������������������
������ ���������������
��� ���� ��� ��������� �� ����� ���������� �� ���� ����� ���� ��������
��������� �������� ��� ������������������������������ ������������
�� ��� ���� ����������������������� �� ����������� ���� ���������������
������������������������������� ���������������������������������������
�������������������������������������������������������������
�������������������
��� ���������������� �������� �� ��������� �������� �� �� ���������������
����������������������������������������
���������� ��������������
��� �������� ��������� ����� �� ���� ��������� ��� ��� ���� ���� �����
����������� �������������������� ������������������� �������� �����������
����� ��� ��� ������ ����� ������� ��� ��������������� ����������� ����
�������� ���� �� ���� ��� ������� ������� �� ����� ��������� ��� ��� ������
���������������������������������
Evolution of this book
is course book has been contributed by the Open University
Netherlands (OUNL). e first edition of this book was written by
Sylvia Stuurman and Ella Roubtsova in 2007 as an OUNL course book
based on lectures given by Lex Bijlsma in the Software Technology
master programme of Utrecht University. ese lectures in turn owed
much to an earlier version by Gert Florijn. A second edition, with
contributions from Bastiaan Heeren, was published in 2009. e FTA
version was updated and rewritten by Sylvia Stuurman in 2011.
Participation
Users of FTA learning materials are encouraged to provide feedback and
make suggestions for improvement. A specific space for this feedback is
set up on the FTA website. ese inputs will be taken into account for
next versions. Moreover, the FTA welcomes anyone to use and distribute
this material as well as to make new versions and translations.
See for specific and updated information about the book, including
translations and other formats: http://ftacademy.org/materials/fsm/. For
more information and enrolment in the FTA online course programme,
please visit the Academy's website: http://ftacademy.org/.
I sincerely hope this course book helps you in your personal learning
process and helps you to help others in theirs. I look forward to see you
in the free knowledge and free technology movements!
Happy learning!
Wouter Tebbens
President of the Free Knowledge Institute
Director of the Free technology Academy
Software architecture
Course book
Course team
dr. A. Bijlsma
dr. B.J. Heeren
dr. E.E. Roubtsova
ir. S. Stuurman
Software architecture
Course book
Contents
Contents 1
2 Requirements engineering 18
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.1 Important concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2 Use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.3 Three types of requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.4 Summary requirements engineering . . . . . . . . . . . . . . . . . . . . . 26
2.5 Tactics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Discussion questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4 Architectural patterns 50
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.1 Architectural patterns or styles . . . . . . . . . . . . . . . . . . . . . . . . 51
4.2 Examples of architectural patterns . . . . . . . . . . . . . . . . . . . . . . 52
4.3 Architectural styles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.4 Applying patterns: KWIC example . . . . . . . . . . . . . . . . . . . . . . 65
4.5 Choosing a style . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Discussion questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
1
2 CONTENTS
Bibliography 148
Block I
3
Module 1
INTRODUCTION
Software architecture is the subject of this course. In this introduction, we will explain
what software architecture is. You will find out why we need software architecture
and you will see aspects of scientific research that is done on software architecture.
You will be introduced to some of the topics within the field of software architecture
that will be covered in this course: software architecture as a solution balancing the
concerns of different stakeholders, quality assurance, methods to describe and evaluate
architectures, the influence of architecture on reuse, and the life cycle of a system and its
architecture. This learning unit concludes with a comparison between the professions
of software architect and software engineer.
All aspects of software architecture that are introduced in this module will be treated
in more detail in individual modules.
LEARNING OBJECTIVES
After having studied this module you should be able to:
– describe the place of software architecture in the life cycle,
– explain the need for an architecture,
– describe the responsibilities of a software architect,
– explain the relationship between stakeholders and the architecture for a
system,
– describe the role of requirements in software architecture,
– explain the role of compromise in creating an architecture,
– explain the relationship between architecture and reuse.
6
MODULE 1. INTRODUCTION TO SOFTWARE ARCHITECTURE
1.1.1 A definition
DEFINITION 1.1 The IEEE standard 1471 defines software architecture as the fundamental organization
of a system embodied in its components, their relationships to each other and to the
environment and the principles guiding its design and evolution.
Standard architectures
COTS software
Existing systems
Higher-level rules
Domain model
Architecture
design
Frameworks
Components
Patterns
Demands
Design
Technology
Infrastructure
Implementation
Production
Configurations
Change requests
Enhancements
Figure 1.1 shows the life cycle of a system, and the place of architecture in the life
cycle. Software architecture links requirements analysis with realization and it may
be explored and defined incrementally. Its existence allows to predict quality aspects
before realization. The architecture must be stable before major development starts.
An architecture can help evolutionary development, when evolution is one of the re-
quirements. A software architecture may be seen as a blueprint and guideline for real-
ization.
DEFINITION 1.2 Architectural conformance is the extent to which the architecture is actually used.
Applications are becoming larger, more integrated, and are implemented using a wide
variety of technologies. The various technologies and disciplines need to be orches-
trated to ensure product quality. Quality attributes like reliability or usability cannot
be analyzed at the code level, but they can be analyzed at the software architectural
level.
Software architecture has several functions, which we describe below.
In the first place, we need an architecture as a means for communication among stake-
holders.
DEFINITION 1.3 A stakeholder is anyone with a legitimate interest in the construction of a software
system. Stakeholders include the owner, the end users, the developers, project man-
agement, and the maintainers, amongst others. Stakeholders are representatives from
all stages of development, usage and support.
8
MODULE 1. INTRODUCTION TO SOFTWARE ARCHITECTURE
Software architecture does not only prescribe the structure of the system being de-
veloped. That structure also becomes engraved in the structure of the development
project. Because the architecture includes the highest level decomposition of the sys-
tem, it is typically used as the basis for the work-breakdown structure. This dictates units
of planning, scheduling, and effectively freezes the architecture. Development groups
typically resent relinquishing responsibilities, which means that it is very difficult to
change the architecture once these units have begun their work.
It is possible to decide that the appropriate architectural choices have been made (i.e.
that the system will exhibit its required quality attributes) without waiting until the
system is developed and deployed, because software architecture allows to predict sys-
tem qualities. This is further explained in the learning unit dedicated to architecture
evaluation.
DEFINITION 1.4 The scope of a software architecture is the range of applications to which it pertains.
An architecture describes at least a single system or product, such as a specific version
of OpenOffice Writer. A more general scope is that of a system family. An example of a
system family is the OpenOffice software suit. This family consists of several products,
for word processing, spreadsheets, presentations, graphics, databases and more, but all
built along similar architectural lines [37]. The scope may be that of an organization as
a whole, of a domain, or the scope may be generic.
An example of a domain architecture is a compiler. A compiler generally consists of
several basic elements (the front end, back end, symbol table and such), that behave
in a well known way and are interconnected in a regular fashion. Someone design-
ing a compiler would not start from scratch, but would begin with this basic domain
architecture in mind when defining the software architecture of a new compiler.
Another aspect in which architectures differ is their focus:
– An application architecture is a blueprint for individual applications, their interac-
tions, and their relationships to the business processes of the organization. It is
built on top of the IT architecture.
– Information architecture is concerned with logical and physical data assets and data
management resources.
– An IT architecture defines the hardware and software building blocks that make
up the overall information system of the organization. The business architecture
is mapped to the IT architecture. The purpose of an IT architecture is to enable
the organization to manage its IT investment in a way that meets its needs. It in-
cludes hardware and software infrastructure including database and middleware
technologies.
– The business architecture defines the business strategy, governance, organization,
and key business processes within an organization. The field of business process
reengineering (BPR) focuses on the analysis and the design of business processes,
not necessarily represented in an IT system.
10
MODULE 1. INTRODUCTION TO SOFTWARE ARCHITECTURE
DEFINITION 1.5 A concern is an interest related to the development, operation, use or evolution of a
system. A concern may be related to functionality, quality areas, costs, technology,
and so forth.
Examples of concerns are providing a certain behavior at runtime, performing well
on a particular piece of hardware, being easy to customize, achieving a short time to
release, or gainfully employing programmers who have a particular specialty.
Concerns are very important: it is costly or impossible to repair or ignore them. Con-
cerns may be contradictory. Speed, flexibility or reliability for instance, may ask for
different solutions. Therefore it is important to prioritize.
The traden offs between performance and security, between maintainability and reli-
ability, between the cost of initial development and the cost of future developments,
are all manifested in the architecture. The system’s behavior on these quality issues is
the result of structural trade-offs made by the developers, and is traditionally undocu-
mented!
Architects must identify and actively engage the stakeholders to solicit their needs and
expectations. Without such active engagement, the stakeholders will, at some point,
explain to the architects why a proposed architecture is unacceptable, thus delaying
the project. Early engagement allows architects to understand the constraints of the
task, to manage expectations, and to negotiate priorities.
The architect must understand the nature, source, and priority of these constraints.
This places the architect in a better position to make trade-offs when conflicts among
competing constraints arise, as they inevitably will.
The architect needs more than just technical skills. Stakeholders will have to be in-
formed on a continuing basis why priorities have been chosen, and why some expecta-
tions cannot be met. Diplomacy, negotiation, and communications skills are essential.
DEFINITION 1.6 A quality framework establishes a terminology for quality attributes (as a common lan-
guage for negotiation with and among stakeholders) and establishes measures for the
attributes.
Figure 1.2 presents the properties that are used as parameters of quality. Quality must
be considered at all phases of design, implementation, and deployment, but different
qualities manifest themselves differently during these phases. For instance, many as-
pects of usability are not architectural: making the user interface clear and easy to use
is primarily a matter of getting the details correct (radio button or check box?). These
details matter tremendously to the end user, but they are not always architectural.
The quality properties that are important in the requirements are assessed from the de-
scription of an architecture. When analysis of the description shows that the desired
properties will not be fulfilled, improvements to the architecture are needed. Proper-
ties can not always be automatically analyzed, or even analyzed at all or at this early
�����������
����������� ������������
�������� ��������������
����� ��������� ���������� �����������
�������������� ���� ��������� ��������������
������������ ������������������
�������������
stage of system design. Therefore, reviews of experts are also an important method for
quality assurance.
Techniques for quality assurance are: applying specific measures to design, technology,
process and so on, building architectural prototypes, reviews by experts, assessment
methods and methods for automatic analysis (which require suitable models and de-
scriptions).
12
MODULE 1. INTRODUCTION TO SOFTWARE ARCHITECTURE
Models can be used for visualization, specification, as a template for construction, or for
documenting decisions. Every model can be expressed at different levels of precision.
A view is a projection of a model, omitting entities that are irrelevant from a certain
perspective or vantage point. Each viewpoint may define one or more views. No single
model suffices. Systems are best approached through a small set of nearly independent
models with multiple views.
– Views belonging to the functional viewpoint describe the system’s runtime func-
tional elements and their responsibilities, interfaces, and primary interactions.
The functional view of a system defines the architectural elements that deliver the
system’s functionality. These views document the system’s functional structure-
including the key functional elements, their responsibilities, the interfaces they
expose, and the interactions between them. Diagrams used in these views model
elements, connectors, interfaces, responsibilities and interactions, for instance us-
ing UML component diagrams.
– Views belonging to the information viewpoint describe the way that the architec-
ture stores, manipulates, manages, and distributes information. This viewpoint
concerns both the information structure and the information flow. Diagrams for
these views are for instance DFD’s (Data Flow Diagrams), UML Class diagrams,
ER (entity-relation) diagrams, and so on.
– Views belonging to the concurrency viewpoint describe the concurrency structure
of the system, mapping functional elements to concurrency units to clearly iden-
tify the parts of the system that can execute concurrently, and shows how this
is coordinated and controlled. This viewpoint is concerned with the system’s
concurrency and state-related structure and constraints. Diagrams which can be
used for these views are for instance UML state diagrams or UML component
diagrams.
– Views belonging to the development viewpoint describe the architecture that sup-
ports the software development process. Aspects are module organization, stan-
dardization of design and testing, instrumentation, code structure, dependencies,
configuration management. Diagrams for these views are for instance UML com-
ponent diagrams with packages.
– Views belong to the deployment viewpoint describe the environment into which
the system will be deployed, including the dependencies the system has on its
runtime environment. Aspects in this viewpoint are specifications of required
hardware, of required software, or network requirements. Diagrams for these
views are UML deployment diagrams.
– Views belonging to the operational viewpoint describe how the system will be oper-
ated, administered, and supported when it is running in its production environ-
ment. Aspects in this viewpoint are installation and upgrade, functional migra-
tion, data migration, monitoring and control, backup, configuration management
and so on.
Depending on the nature of the system, some views may be more important than oth-
ers. In data-intensive systems, views addressing the information viewpoint will domi-
nate. In systems which will have many short release cycles, the deployment viewpoint
and the views belonging to it will be important. In real time systems, the concurrency
viewpoint will be important.
The choice of what viewpoints to use has a profound influence on how a problem
is attacked and a solution is shaped. The viewpoints you choose greatly affect your
world view. If you build a system through the eyes of a database developer, you will
likely focus on entity-relationship models. If you build a system through the eyes of a
structured analyst, you will likely end up with models that are algorithm-centric, with
data flowing from process to process. If you build a system through the eyes of an
object-oriented developer, you will end up with a system with an architecture centered
around classes and their interactions. Each world view leads to a different kind of
system, with different costs and benefits.
Product lines
������������������
�������������
���
������
���������������
�������
�������������
������������������
Product lines form an example of reuse-driven development. Figure 1.3 shows the num-
ber of product variants from left to right, and the number of sales per variant from be-
low to above. It shows how the production of individual cars using traditional crafts-
manship (Bugatti) has evolved to mass production of a single model (T-Ford), and later
to mass production and mass customization, which makes it possible to produce multi-
ple models in great quantities. Mass customization in the automotive industry is what
product lines are in the software industry.
DEFINITION 1.7 A software product line (SPL) is a set of software-intensive systems that share a com-
mon, managed set of functional modules and non-functional features satisfying the
specific needs of a particular market segment or mission and that are developed from
a common set of core assets in a prescribed way [11].
In other words, a software product line is a family of similar systems. The commonality
of the systems is called the commonality; the variations are called the variability. Require-
ments for products within a product line are modeled in a feature model (where feature
stands for a requirement from a user’s perspective), which makes it possible to discern
common features for all products within the product line, and features that vary among
different products.
Common components or a framework offer the common features; application-specific
extensions offer the variability. Domain engineering addresses the systematic creation
14
MODULE 1. INTRODUCTION TO SOFTWARE ARCHITECTURE
Reverse engineering
Development often involves legacy systems that need to be reused, and sometimes
reorganized.
DEFINITION 1.8 A legacy system is an existing computer system or application program which contin-
ues to be used because the user (typically an organization) does not want to replace
or redesign it.
When we deal with a legacy system we rarely have up-to-date documentation. The
architecture models often need to be recovered, the data types transformed and the
source code refactored.
DEFINITION 1.9 The process of recovering the architecture of a legacy system is called reverse engineer-
ing.
Reverse engineering is a process of examination; the software system under considera-
tion is not modified. Doing the latter would make it re-engineering.
Refactoring means modifying source code without changing its external behavior. Refac-
toring does not fix bugs or add new functionality. The goal of refactoring is to improve
the understandability of the code, change its structure and design, remove dead code,
or make it easier to maintain the code in the future.
An example of a trivial refactoring is changing a variable name into one conveying
more information, such as from a single character ’i’ to ’interestRate’. A more complex
refactoring is to turn code within an if-block into a subroutine.
Reverse engineering is based on either human cognition or on technical approaches.
– Cognitive strategies are based on how humans understand software. A human
might take a top-down approach to understanding software (start at the high-
est level of abstraction and recursively fill in understanding of the subparts), a
bottom-up approach (start by understanding the lowest-level components and
how these work together), a model-based approach (if the investigator already
has a mental model of how the system works and tries to deepen the under-
standing of certain areas), or an opportunistic approach (some combination of
these approaches).
DISCUSSION QUESTIONS
16
MODULE 1. INTRODUCTION TO SOFTWARE ARCHITECTURE
Requirements engineering
INTRODUCTION
Choosing the software architecture for a system is the first step toward a system that
fulfills the requirements. Software requirements, therefore, are important to the field of
software architecture. Software requirements engineering is needed to understand and
define what problem needs to be solved. We need to discover, understand, formulate,
analyze and agree on what problem should be solved, why such a problem need to be
solved, and who should be involved in the responsibility of solving that problem [28].
In this module, we will discuss the concepts of stakeholder and concern, which are
both important with respect to requirements. We will discuss the different types of
requirements, and show a way to categorize them. We will show you different ways
to elicit requirements from stakeholders, ways to specify them, and ways to validate
them. Use cases are often used for specification of software requirements; we will
discuss them in more detail. We will also introduce tactics as a strategy to meet quality
requirements.
LEARNING OBJECTIVES
After having studied this module you should be able to:
– explain the notions of stakeholder and concerns,
– summarize the different types of requirements,
– state the steps to be taken in the requirements engineering process,
– describe how use cases can be used for specifying functional
requirements,
– describe why concerns have to be prioritized,
– describe the relationship between tactics and requirements.
18
MODULE 2. REQUIREMENTS ENGINEERING
The notions of stakeholder and concern are defined in definitions 1.3 and 1.5.
Examples of stakeholders are:
– Acquirers are those who decide which system to use,
– Assessors are those who check whether a given system conforms to needs or
constraints,
– Communicators are responsible for training and documentation
– Developers develop the system,
– Contributers develop or write documentation,
– Committers take decisions in the development process,
– Maintainers fix bugs and evolve the system,
– Suppliers provide components,
– Supporters provide help to users,
– System administrators keep the system running, administer users, and configure
the system,
– Testers test (parts of) the system,
– Users use it.
In many cases, it is useful to split some of those groups. Users of a content management
system for instance, may be divided in users who enter content, and users who only
consume content.
The concerns of different stakeholders are often mutually incompatible. Examples of
such incompatible concerns are performance versus security or modifiability versus
low cost. Concerns of the developer are not the same as those of the user or the acquirer.
The developer might be interested in using new techniques and experimenting, while
the user may want a product which is stable, and the acquirer wants a product which
can easily be adapted or configurated. This means that the architecture of a system
is usually a compromise or trade-off among incompatible concerns. It is important to
document and explicitly prioritize concerns. An architecture is the earliest artifact that
allows the priorities among competing concerns to be analyzed.
Standard architectures and architectural patterns have well known effects on the qual-
ity attributes of a system. This makes it possible to reason about the effect of the chosen
architecture on the qualities of the system that are requested by the different stakehold-
ers. Therefore, architectural decisions can be analyzed at an early stage (before design
starts), to determine their impact on the quality attributes of the system. It is worth do-
ing this analysis because it is virtually impossible to change the architecture at a later
stage of development.
DEFINITION 2.1 A software requirement is a condition or capacity needed by a user to solve a problem
or achieve an objective.
Requirements come in three types: functional, non-functional and constraints:
– Functional requirements present what the system should do. The rules of an online
game are examples of functional requirements.
– Non-functional requirements specify with what quality the system should work. A
possible non-functional requirement for an online game is that the game should
provide an interface that is easy to understand, or that the response on an action
of the user should be given within less than a certain maximum time.
– Constraints show the limits within which the system should be realized. For an
online game, a constraint could be that it should work with both Firefox and
Internet Explorer, without the need for a plugin.
We will discuss these different types of requirements further on in this module.
DEFINITION 2.2 Domain understanding means: acquiring a good understanding of the domain in which
the problem is rooted, and what the roots of the problem are. [28].
DEFINITION 2.3 Requirements elicitation means: the activity of discovering candidate requirements and
assumptions that will shape the system-to-be, based on the weaknesses of the current
system as they emerge from domain understanding. [28].
20
MODULE 2. REQUIREMENTS ENGINEERING
offering a means to ask for new features, report bugs, and comment on the offered
software product.
DEFINITION 2.4 Requirements evaluation means: making informed decisions about issues raised during
the elicitation process. [28].
Negotiation may be required in order to reach a consensus.
– Conflicting concerns must be identified and resolved.
– The risks associated with the system must be assessed and resolved.
– Alternative options must be compared.
– Requirements must be prioritized.
DEFINITION 2.5 Requirements specification means: rigorous modeling of requirements, to provide for-
mal definitions for various aspects of the system ([30]).
A requirements specification document should be:
– as precise as possible: it is the starting point for architecture and design,
– as readable as possible: it should be understandable for the user.
Preferred properties of a requirements specification are that the specification is correct,
unambiguous, complete, consistent, ranked for importance, verifiable, modifiable and
traceable.
Among the techniques for requirements specification are Entity-Relationship (E-R) mod-
eling, the Structured Analysis and Design Technique (SADT), Finite State Machines,
use cases and UML.
– E-R modeling is a semantic data modeling technique, developed as an extension
to the relational database model (to compensate for its absence of typing and
inadequate modeling of relations), not unlike the UML class diagram.
– SADT has been developed in the late 1970s by Ross [42]. It is based on a data-
flow model that views the system as a set of interacting activities. As notation
it uses rectangles representing system activity, with four arrows. An arrow from
the left signifies input, an arrow to the right signifies output, an arrow from above
signifies control or database, and an arrow from below signifies a mechanism or
algorithm.
– Finite state machines show states and transitions, with guards and actions. A finite
state machine models the different states the system can be in, where a state is
characterized by the actions that are enabled. Finite state machine modeling is
part of UML as state diagrams.
– UML incorporates class models, state diagrams and use cases — but not data
flow (data flow diagrams mix static and dynamic information, and are replaced
by activity and collaboration diagrams). Use cases will be treated in more detail
below.
DEFINITION 2.6 Requirements validation is concerned with checking the requirements document for
consistency, completeness and accuracy ([26]).
Requirements should be validated with stakeholders in order to pinpoint inadequacies
with respect to actual needs. [28]
Requirements verification is something else: a mathematical analysis, possibly automated,
of formal specifications for consistency. Verification only checks consistency; complete-
ness or accuracy cannot be checked with mathematical analysis. You need user inter-
action to validate requirements: the requirements document may not reflect the real
requirements.
Among the techniques for requirements validation are:
Use cases form a technique for specifying functional requirements: use cases are helpful
to specify what the system should do. A use case captures a contract with the stake-
holders of a system about its behavior. A use case describes the system’s behavior
under various conditions, as the system responds to a request from one of the stake-
holders, called the primary actor. Use cases are fundamentally a description of usage
scenarios in textual form.
An example of a use case is the following:
Use case:
Withdraw cash from ATM
Level:
User goal
Primary actor:
Account holder
Description:
Customer enters ATM card
ATM
reads the bank ID,
account number,
encrypted PIN from the card,
validates the bank ID and account number
with the main banking system
Customer enters PIN.
ATM validates it against the encrypted PIN from the card.
Customer selects ‘Withdraw cash’ and withdrawal amount
ATM notifies main banking system of customer account and amount,
and receives bank acknowledgment
ATM delivers cash, card, and a receipt
ATM logs the transaction
As you can see, the basic format for a use case is the following:
Use case:
<use case goal>
Level:
<one of: summary level, user-goal level, subfunction>
Primary actor:
<a role name for the actor who initiates the use case>
Description:
<the steps of the main success scenario
from trigger to goal delivery and any cleanup after>
Several use cases may be combined in a use case diagram. Figure 2.1 shows an example.
The line drawn between an actor and a use case is an association: the participation of
22
MODULE 2. REQUIREMENTS ENGINEERING
ATM
Withdraw
cash
an actor in a use case. Instances of the actor and instances of the use case communicate
with each other. This is the only relationship between actors and use cases.
An actor can be thought of as a role. In Figure 2.1 we see two actors: the customer
and the main banking system. Both actors are associated with two use cases: withdraw
cash and check balance.
Handle claim
<<include>> <<extend>>
<<include>>
Find policy
holder
– An include relationship from a use case E to a use case F indicates that an instance
of the use case E will also contain the behavior as specified by F. The behavior is
included at the location which defined in E. (see [33]).
Some advice on how to write use cases:
– A use case is a prose essay. Make the use cases easy to read using active voice,
present tense, describing an actor successfully achieving a goal.
– Include sub-use cases where appropriate.
– Do not assume or describe specifics of the user interface.
– An actor is not the same as an organizational role: an actor is a person, organi-
zation, or external system that plays a role in one or more interactions with the
system.
– Use UML use case diagrams to visualize relations between actors and use cases
or among use cases. Use text to specify use cases themselves!
– It is hard, and important, to keep track of the various use cases.
24
MODULE 2. REQUIREMENTS ENGINEERING
model. A software quality model serves as a discussion framework, a scheme for users
and developers to talk about different kinds of quality, to prioritize different kinds of
quality, and to check the completeness of quality requirements.
Maintainability =
{Stability, Analyzability, Changeability, Testability}
Every sub-characteristic is divided into a set of attributes, an entity which can be mea-
sured or verified. The attributes are not defined in the standard quality mode.
�����������
����������� ������������
�������� ��������������
����� ��������� ���������� �����������
�������������� ���� ��������� ��������������
������������ ������������������
�������������
Maintainability =
ISO9126.Maintainability + {Manageability, Reusability}
It also adds attributes to ISO 9126: e.g. Reusability has the attributes Ratio-reused-parts
and Ratio-reusable-parts, where a part is a module, a component or a sub-system. It
also provides metrics to measure quality; Ratio-reused-parts, for example, is measured
as the size of the reused parts divided by the size of the entire software product.
When using Quint2 as a software quality model, keep in mind that not all 32 qual-
ity attributes are equally important. A requirements engineer should prioritize the
requirements.
Quality requirements should be measurable. For example, the requirement ‘The system
should perform well’ is not measurable, but the requirement ‘The response time in
interactive use is less than 200 ms’ is measurable.
Change scenarios
Some quality requirements do not concern functionality but other aspects of the sys-
tem. These quality requirements are mainly attributes from the Maintainability and
Portability group, such as Changeability and Adaptability. These requirements cannot
be linked to use cases.
Such quality requirements should be linked to specific change scenarios. By doing
that, you avoid being vague. For instance, instead of writing ‘The system should be
very portable’, you should write ‘The software can be installed on the Windows, Mac,
and Unix platforms without changing the source code’. Instead of writing ‘The system
should be changeable’, you should write ‘Functionality that makes it possible for users
to transfer money from savings to checking account can be added to the ATM within
one month’.
2.3.3 Constraints
Although functional and quality requirements specify the goal, constraints limit the
(architectural) solution space. Stakeholders should therefore not only specify require-
ments, but also constraints.
Possible constraint categories are the following:
– Technical constraints, such as platform, reuse of existing systems and compo-
nents, use of standards;
– Financial constraints, such as budgets;
– Organizational constraints, such as processes, skill (or lack of skill) of employees,
formal rules and policies;
– Time constraints, such as deadlines.
26
MODULE 2. REQUIREMENTS ENGINEERING
2.5 Tactics
Once determined, the quality requirements provide guidance for architectural deci-
sions. An architectural decision that influences the qualities of the product is some-
times called a tactic [5]. Mutually connected tactics are bundled together into architec-
tural patterns: schemes for the structural organization of entire systems. We will discuss
patterns in detail in the learning unit about patterns.
As an example of tactics, we show some tactics to achieve recoverability (a subcharac-
teristic of the Reliability factor in ISO 9126):
– Voting between processes running on redundant processors. This tactic detects
only processor faults; not algorithmic errors.
– In a hot restart, only a few processes will experience state loss. In a “cold” restart,
the entire system looses state, and is completely reloaded. In a hot restart model,
the application saves state information about the current activity of the system.
The information is given to the standby component so it is ready to take over
quickly. There may be redundant standby components, that respond in parallel.
The first response is used, the others are discarded.
– Passive redundancy means switching to a standby backup on failure. This tactic is
often used in databases.
– Rollback: a consistent state is recorded in response to specific events, which makes
it possible to go back to the recorded state in case of an error. This is often used
in databases, or with software installation.
Some tactics for changeability (a subcharacteristic of Maintainability) are:
– Maintaining semantic coherence: high cohesion within every module, loose cou-
pling to other modules;
– Hiding information. Provide public responsibilities through specified interfaces
that are maintained when the program evolves.
– Using an intermediary. For example, a data repository uncouples producer and
consumer; design patterns such as Facade, Mediator, and Proxy translate syntax.
Brokers hide identity.
DISCUSSION QUESTIONS
3. Can you think of other important qualities that are not explicitly mentioned in
these models?
28
Module 3
INTRODUCTION
During the phase of the design of the architecture, the focus is, for the first time in the
development process, on the proposed solution rather than on the problem domain.
The description of the architecture lays the foundation for design, by formulating rules
and principles that the design should adhere to.
Architecture, which is the prudent partitioning of a whole into parts, with specific re-
lations among the parts, is what allows a group of people - separated by organiza-
tional, geographical or temporal boundaries - to work cooperatively and productively
together to solve a much larger problem than any of them would be capable of individ-
ually. Each part can be built fairly independent of the other parts. Architecture is what
makes the set of parts work together as a successful whole. Architecture documenta-
tion is what tells developers how to achieve this.
The design of the architecture should balance the concerns of many different stake-
holders. Therefore, there will be no single ’best’ solution. Stakeholders concerns may
be contradictory, for instance, and a solution that answers one demand may conflict
with other demands. These choices, and their purpose, are recorded in the architecture
documentation. The documentation offers the means for an early validation: the cus-
tomers get an early chance to answer the question whether the proposed system really
is what they want, to solve their problem.
30
MODULE 3. DESCRIPTION AND EVALUATION
LEARNING OBJECTIVES
After having studied this module you should be able to:
– summarize the contents of the IEEE 1471 standard,
– explain what a viewpoint is,
– give examples of viewpoints,
– explain what a view is, and its relationship with a viewpoint,
– explain what an architectural description language is,
– describe several approaches to describe architectures,
– describe several approaches to evaluate architectures,
– explain which steps should be carried out evaluating an architecture
using the ATAM.
32
MODULE 3. DESCRIPTION AND EVALUATION
The IEEE Computer Society has developed the IEEE Standard 1471-2000 [50], called
the Recommended Practice for Architectural Description of Software-Intensive Systems, first
published in October 2000. The IEEE 1471 is a recommended practice. An organization
using the standard must decide how to employ IEEE 1471.
The standard applies to architectural description: architectural descriptions may conform
to the standard, but systems, projects, processes or organizations cannot. The standard
tells you how to describe an architecture, and is not a standard architecture, standard
architectural process, or method.
The recommended practice offers a model of architectural descriptions in their context.
It is written in terms of ‘shall’, ‘should’, and ‘may’, and is based on consensus. It applies
to systems where software plays a major role. It only focuses on the organization of the
descriptions; not on the systems themselves, or the actual models.
The standard does not prescribe specific languages, viewpoints, views (we will dis-
cuss the meaning of these concepts later on) or models. The standard does not contain
formal consistency criteria. So, architectural descriptions may be checked for confor-
mance to the recommended practice, but systems, projects, organizations, processes,
methods or tools cannot be checked for conformance.
1 h as an 1
Syst em Archit ect ure
1..* 1
has
describes
1..* 1
has is f or selects
1..* 1 1 1
Concern Viewpoint View
covers con forms to
Figure 3.3 shows some concepts used in the IEEE-1471 recommended practice, and
34
MODULE 3. DESCRIPTION AND EVALUATION
their relationships.
DEFINITION 3.1 A stakeholder is a person or an organization with an interest in the system. An archi-
tectural description should identify the stakeholders. A system will have at least one
stakeholder, and a stakeholder may be a stakeholder of different systems. A stake-
holder has at least one concern (an interest of a stakeholder), and each concern may be
shared by different stakeholders.
DEFINITION 3.2 A view is a representation of the whole system from the perspective of a related set of
concerns: a viewpoint. The architectural description of a system includes a number of
different views. In general, several diagrams and descriptions are used for one view.
DEFINITION 3.5 A rationale is an explanation or motivation for a specific choice or decision, or for a set
of decisions.
To adhere to IEEE 1471-2000, an architectural description should contain the following
elements:
4. For each viewpoint, an architectural description should contain one or more ar-
chitectural views. Each view corresponds to one viewpoint. A view is a represen-
tation of the system, based on a viewpoint. A view may consist of one or more
models. Each view will include introductionary information. In addition, for-
mal or informal consistency and completeness tests may be given, to be applied
on the models making up an associated view, evaluation or analysis techniques,
heuristics, patterns, guidelines and tips. Also, a rationale should be given, that
addresses the extent to which the stakeholders and concerns are covered.
6. A rationale should be given. The rationale is the motivation for the resulting ar-
chitecture and its description. Alternatives should be described, and decisions
should be explained with respect to the requirements.
Several authors have described collections of viewpoints. Rozanski and Woods [43]
describe the following viewpoints:
– The functional viewpoint describes the system’s runtime functional elements and
their responsibilities, interfaces, and primary interactions. The functional view of
a system defines the architectural elements that deliver the system’s functionality.
This viewpoint addresses all stakeholders.
– The information viewpoint describes the way that the architecture stores, manip-
ulates, manages, and distributes information. This viewpoint concerns both the
information structure and the information flow. Stakeholders are the users, the
owners and the developers.
– The concurrency viewpoint describes the concurrency structure of the system, map-
ping functional elements to concurrency units to clearly identify the parts of the
system that can execute concurrently, and shows how this is coordinated and
controlled. This viewpoint is concerned with the system’s concurrency and state-
related structure and constraints. Stakeholders are developers, testers, and some
administrators.
– The development viewpoint describes the architecture that supports the software
development process. Aspects are module organization, standardization of de-
sign and testing, instrumentation, code structure, dependencies, configuration
management. Stakeholders are developers and testers.
– The deployment viewpoint describes the environment into which the system will
be deployed, including the dependencies the system has on its runtime envi-
ronment. Aspects in this viewpoint are specifications of required hardware, of
required software, or network requirements. Stakeholders are system adminis-
trators, developers, testers, assessors.
– The operational viewpoint describes how the system will be operated, adminis-
tered, and supported when it is running in its production environment. Aspects
in this viewpoint are installation and upgrade, functional migration, data mi-
gration, monitoring and control, backup, configuration management and so on.
Stakeholders are system administrators, developers, testers, assessors.
Other common viewpoints are:
– Maintenance viewpoint. Stakeholders are the maintenance engineers. Important
aspects are the questions where new functionality can be added, which interfaces
should be implemented, how components are to be compiled and linked etc.
– Operations viewpoint. Stakeholders are operators. Questions to be answered are
how to install and configure the system on actual computers, how to monitor
execution state, or how to shut down in case of troubles.
– Management viewpoint. Stakeholders are the decision makers. Questions to be
answered are what kind of functionality the system will provide, how much it
will cost to introduce the system in the organization, what risks are involved etc.
36
MODULE 3. DESCRIPTION AND EVALUATION
System model Logical Application Distributed system Human interface Process Business rule
(logical) data model model model model structure model
Designer
Zachman Framework
The mission of the Zachman Institute for Framework Advancement (ZIFA) is to exer-
cise the Zachman Framework for Enterprise Architecture, for the purpose of advancing
the conceptual and implementation understanding of enterprise architecture [55].
The goals of the institute are to establish the Zachman Framework as a universal lan-
guage to facilitate communication, research and implementation of enterprise architec-
ture concepts. Table 3.1 shows the framework. Each row represents a point of view,
each column a certain aspect, and each cell a view. In this table, the cells show possible
models or documents for a given view.
Philippe Kruchten introduced his 4+1 model in [27]. It consists of a practical set of views
for software architecture.
The main stakeholders for the logical view are the end users, who are concerned with
functionality. Programmers are the stakeholders who are addressed in the development
view. The process view is for system integrators, who are concerned with quality as-
pects such as performance, scalability and throughput. The physical view is for system
engineers, who care about system topology, delivery, installation and communication
issues.
The scenarios are used for analysis and to demonstrate completeness and consistency
across the four views. Scenarios are also used to find relevant architectural concepts:
they are the starting point for the architecture.
This 4+1 model is subsumed into the Rational Unified Process (RUP), where views cor-
respond to UML diagram types. Concepts in the logical view are classes and services,
in the development view modules and packages, in the process view components and
processes, and in the physical view nodes and networks.
There are some guidelines to go from one view to another, for instance by mapping a
class to a process. The 4+1 model provides useful, somewhat technical views, with an
accent towards development. The model may also be used to describe existing systems.
A slightly different approach is documentation using viewtypes and styles [12]. This
approach aids in deciding which diagrams to use for a certain view.
DEFINITION 3.6 A viewtype is a category of views, containing similar elements and relationships. A
viewtype defines the element types and relationship types, used to describe the ar-
chitecture of a software system from a particular perspective.
For software systems, there are three viewtypes: the module viewtype, the connector
viewtype, and the allocation viewtype.
Module viewtype
The module viewtype is for modeling how the software system is structured as a set of
implementation units. Elements in this viewtypes are modules (which may be classes
or packages for instance). An element has a name, responsibilities, visible interfaces,
and implementation information (such as the set of code units that implement the mod-
ule). Relations within this viewtype have the form of part-of, depends-on, or is-a.
Several styles can be discerned within this viewtype: the decomposition style represents
the decomposition of the code into systems, subsystems, subsubsystems and so on.
The uses-style tells developers which other modules must exist for their portion of the
system to correctly execute. The generalization style shows the inheritance relations.
The layered style organizes the code into disjoint layers, where code in higher layers is
allowed to use code in lower layers according to predefined rules.
Examples of views within this viewtype are views belonging to Rozanski and Wood’s
development viewpoint. Notations for this viewtype are for instance UML class dia-
grams and package diagrams. A criticism of class diagrams however, is that all of these
relations are shown at the same time, which undercuts the usefulness of a view.
Connector viewtype
The connector viewtype is for modeling elements that have some run-time presence. El-
ements in this viewtype are runtime components: processes, objects, clients, servers,
38
MODULE 3. DESCRIPTION AND EVALUATION
data stores, filters and so on. Another kind of elements in this viewtype are con-
nectors: communication links, protocols, information flows, procedure calls, asyn-
chronous messages, pipes and so on. Relations in this viewtype attach connectors to
components.
Within this viewpoint, various styles may be used. Some examples are the pipe-and-
filter style, the shared-data-style, the publish-subscribe style, the client-server style, the peer-
to-peer style, or the communicating processes style. The correspondence of these styles to
the architectural patterns that we discuss in the corresponding learning unit, shows
that architectural patterns often prescribe runtime components and their relations.
An example of views within this viewtype are views belonging to Rozanski and Wood’s
concurrency viewpoint. Notations are for instance the UML 2.0 component diagram,
the UML-RT diagram, or a data flow diagram. Note, however, that what is meant with
runtime components is not exactly the same as what is meant with the components
that you will read about in other learning units. Components are defined as concrete
chunks of implementation (like executables or dll’s), that realize abstract interfaces.
UML 2.0 component diagrams are used because they use connectors and ports. Archi-
tecture description languages (we will discuss them later on) often address the connec-
tor viewtype.
Allocation viewtype
The allocation viewtype is for documenting the interaction of hardware, file systems and
team structure with software architecture.
Three styles can be discerned within this viewtype. In the deployment style, elements
are the processes from the connector viewtype, processors, memory, disk, and net-
work. Relations in this style are allocated-to and migrates-to. In the implementation
style, elements are modules, files and directories. Relations are allocated-to and con-
tainment. In the work assignment style, elements are modules, companies, teams and
persons. Relations are allocated-to.
This viewtype van be used for views belonging to Rozanski and Wood’s deployment,
operational and development viewpoints. Notations for this viewtype are UML de-
ployment diagrams, or UML artifact diagrams.
DEFINITION 3.7 An architecture description language (ADL) is a language (graphical or textual or both)
for describing software systems in terms of its architectural elements and the relation-
ships between them.
3.2.1 ACME
An example of an ADL is ACME. ACME is a language, suitable for the connector view-
type. Basic elements are components (with ports and properties) and connectors (with
roles and properties). As is seen in Figure 3.5, components may be connected to a con-
nector by attaching a port of a component to the role of a connector. The text is the
equivalent of a box-and-arrow diagram, with named ports on components, and named
roles on connectors. For both components and connectors, properties may be specified.
However, the properties are not interpreted.
ACME was originally intended as an interchange language for ADLs. Somehow, the
interchange strategy was never widely applied. Other drawbacks of ACME are: it is
highly verbose, and there are no semantics.
System s i m p l e _ c l i e n t _ s e r v e r = {
Component c l i e n t = {
P o r t send−r e q u e s t ;
}
Component s e r v e r = {
P o r t r e c e i v e −r e q u e s t ;
}
Connector rpc = {
Role c a l l e r ;
Role c a l l e e ;
Properties {
asynchronous : boolean = t r u e ;
max−r o l e s : i n t e g e r = 2 ;
}
}
Attachment c l i e n t . send−r e q u e s t t o rpc . c a l l e r ;
Attachment s e r v e r . r e c e i v e −r e q u e s t t o rpc . c a l l e e ;
}
3.2.2 Koala
Another example of an architecture description language is Koala. Koala is a graph-
ical language, aimed towards describing product families of embedded software in
consumer electronics (such as televisions or dvd players and recorders). This ADL is
developed by Philips Electronics. In Figure 3.6, the CTVPlatform component provides
three interfaces, the pprg interface of type Iprogram, the ppic interface of type Ipicture,
and the pini interface. It requires two interfaces as well, the interfaces fast and slow, of
type II2c. Interface types may be described using an interface definition language:
i n t e r f a c e ITuner {
40
MODULE 3. DESCRIPTION AND EVALUATION
void SetFrequency ( i n t f ) ;
i n t GetFrequency ( void ) ;
}
The block m in Figure 3.6 is a module that combines several interfaces. Koala com-
piles to C, which makes it possible to check the correspondence between provided and
required interfaces.
Koala supports product lines through explicit points of variation. It allows common
elements of architectures to be reused from product to product, and is still actively
used at Philips.
3.2.3 Wright
System Foo
Component Split =
port In = read?x -> In [] read-eof -> close -> �
port L, R = write!x -> Out [] close -> �
comp spec =
let Close = In.close -> L.close -> R.close -> �
in Close []
In.read?x -> L.write!x ->
(Close [] In.read?x -> R.write!x -> computation)
Component Print ...
Connector Pipe ...
Instances
split: Split; print: Print;
p1: Pipe
...
Attachments
split.Left as p1.Writer;
print.In as p1.Reader;
...
end Foo.
3.2.4 CommUnity
CommUnity is another ADL for the connector viewtype (just as ACME and Wright).
Like Wright, CommUnity offers means for describing components in terms of commu-
nication channels and actions.
design account is
in add: nat
out bal: int
do dep: true -> bal:=bal+add
[] wit: true -> bal:=bal-add
design regulator is
in a: nat, b: int
do reg: a<b ->
design channel is
in a: nat, b: int
---------------------------------
design safeaccount is
in add: nat
out bal: int
do dep: true -> bal:=bal+add
[] wit: add<bal -> bal:=bal-add
3.2.5 xADL
xADL is an extensible XML-based ADL. Its common features can be reused in every do-
main, and new features can be created and added to the language as first-class entities.
The syntax of xADL is defined in a set of XML schema’s. The syntax can be extended
through inheritance. xADL has an associated visualization which can be edited by the
ArchStudio development environment.
xADL is still a research project, but there are already lots of tools. It can be viewed as a
factory for domain-specific ADLs.
42
MODULE 3. DESCRIPTION AND EVALUATION
– Are the modeling constructs suitable? Some ADLs for instance offer constructs
for the connector viewtype.
– Do the elements have defined semantics?
– Is it possible to analyze completeness?
– What about maintainability? Is it possible to reuse and extend models?
– Are there tools available?
– What properties can you analyze? For instance, is it possible to analyze perfor-
mance?
– What about scalability? Does the language offer the possibility of composition
and decomposition?
– What about understandability? Is there a high learning curve? Can you use the
ADL to discuss the architecture with the stakeholders?
– Is it possible to automate conformance control?
Security
Auditing Communication
Module
structure Databases
Classes
Deployment
Configuration
management
Various terms are in use for the evaluation of architectures: assessment, analysis, re-
view, validation. It is an active research area. The main reason why we need to evaluate
architectures, is that this area is still something of a craft, without clear rules. We have
to learn by doing.
Evaluating architectures is cost saving, through early detection of errors and problems.
There is a reduced risk of disaster projects or acquisitions. Evaluation also increases
the understanding and documentation of systems. Requirements will be clarified and
prioritized. Evaluation can be seen as a form of organizational learning. But there
are also costs: reviewer time, development team time and focus, and time of other
stakeholders. For an analysis of costs and benefits, see [1].
Who? For the question who performs the evaluation, there are also several possible
answers:
– the development team itself,
– another group in the same organization,
– external reviewers, preferably with no interest in the outcome of the evaluation.
Issues here are the questions of domain knowledge and experience: the development
team will have both, the other group in the organization will probably only have do-
main knowledge, while a group of experts probably only will have experience. Other
issues are competition and bias.
How? The techniques for evaluating architectures can be divided in two sets:
– Questioning techniques. Possible methods are to generate discussion, based on
qualitative questions, to use questionnaires, to use checklists, or to use scenarios.
– Measuring techniques. Possible methods are to provide quantitative answers to
specific questions, to use metrics, to use simulation, or make use of prototypes,
or to use formal analysis.
44
MODULE 3. DESCRIPTION AND EVALUATION
DEFINITION 3.8 Scenarios are brief narratives of expected or anticipated use of a system from both
development and end-user viewpoints.
DEFINITION 3.9 A sensitivity point is an architectural decision involving one or more architectural com-
ponents and/or connections, that is critical for achieving a particular quality attribute
response measure [13].
DEFINITION 3.10 A trade-off point is an architectural decision that affects more than one attribute and is
a sensitivity point for more than one attribute ([13]). For example, changing the level
of encryption could have a significant impact on both security and performance, in
an opposite direction.
Scenario-based analysis can be used for different goals:
– Identify major risks. In that case, you use likely scenarios with major impact, or
you search for scenarios that are not handled in the architecture. By using those
scenarios to analyze the architecture, you identify sensitivity and trade-off points.
– Validate quality goals. The typical quality goals that you validate using scenario-
based analysis are maintainability and modifiability. The scenarios you use are
change scenarios, that are likely to be needed in a particular period. During the
analysis, you estimate the cost of realizing changes.
– Choose between architectural alternatives. Scenarios can be used to compare
scores among multiple candidates. Architectures are being scored with respect
to minimal risk, and the estimated effort for maintenance.
DEFINITION 3.11 ATAM is an abbreviation for Architecture Tradeoff Analysis Method. It is a scenario-
based, standardized evaluation method.
ATAM focuses on trade off’s between quality goals. This method requires the partici-
pation of three different groups: the evaluation team (a group of three to five people,
external to the project), the project decision makers (including the architect), and the
architecture stakeholders (developers, testers, users, ...).
Deliverables of this method are:
– quality requirements in terms of scenarios,
– a mapping of architectural decisions to quality requirements,
DISCUSSION QUESTIONS
46
Block II
47
Module 4
Architectural patterns
INTRODUCTION
Before major development starts, we need to choose an architecture that will provide
us with the desired quality attributes. Therefore we need a way to discuss architec-
tural options and their quality consequences in advance, before they can be applied to
a design. Our decisions at this stage can only be based on experience with architec-
tural choices in previous systems. Such architectural experience, reduced to its essence
and no longer cluttered with the details of the systems that produced it, is recorded in
architectural patterns.
Many systems have a similar structure. Distributed systems for instance, can have
a client-server structure, with clients making requests, and a server processing those
requests and answering them. When we observe a similarity, we want to know what
is common among the solutions, and what variations are possible. We ask in what
circumstances an approach may be used, and how it should be used and customized
for a particular system. An architectural pattern provides an answer to such questions.
This module introduces architectural patterns and their relation with design patterns.
We will discuss several architectural patterns: the layers pattern, the client-server pat-
tern, the master-slave pattern, the pipe-filter pattern, the broker, the peer-to-peer pat-
tern, the event-bus, model-view-controller, the blackboard, and the interpreter.
These examples do not exhaust all architectural patterns: we will discuss ways to clas-
sify them. With an example, we will show the effect of choosing different patterns for
the same problem. The example makes clear that you need to be able to choose the
right pattern for a given situation. To make the right choice you need experience with
different systems. Knowledge about patterns will help you to expand upon what you
learn by experience, because by learning about patterns, you learn from the experience
of others.
LEARNING OBJECTIVES
After having studied this module you should be able to:
– to describe the structure and function of the patterns which are covered
in this module,
– to describe the advantages and disadvantages of the patterns which are
covered in this module,
– to explain the difference between a style and a pattern,
– to give examples of applications of the patterns covered in this module,
– to name examples of patterns fitting in a certain style.
50
MODULE 4. ARCHITECTURAL PATTERNS
DEFINITION 4.1 An architectural pattern is a proven structural organization schema for software sys-
tems.
A pattern is a description of a set of predefined subsystems and their responsibilities. In
a system structured according to the client-server pattern, for instance, two subsystems
are distinguished: the client (which can have many instances), and the server (which
is unique). The responsibility of the client may be to show a user-interface to the user;
the responsibility of the server may be to process lots of questions, and to guard data
that are of interest to the client.
A pattern also describes rules and guidelines for organizing the relationships among
the subsystems. The relationship between client and server is that the client asks ques-
tions and the server answers them.
Patterns are written by people with lots of experience. Patterns make knowledge which
could have remained hidden in the heads of these experienced people explicit. This
enables others to learn from those experiences. Patterns are not constructed by a single
person: they reflect the experience of many developers. They capture existing, well-
proven solutions in software development, and help to promote good design practices.
Architectural patterns are also called styles, or standard architectures, but the word
architectural style is more often used for a concept less fine-grained than a pattern;
several patterns may then belong to the same architectural style. We will explain the
subtle differences later in this module.
may conflict with extensibility, for instance). Forces differ in the degree in which
they are negotiable.
– Solution: a proven solution for the problem. The solution is given as a structure
with components and relationships, and as a description of the run-time behavior.
The first description is a static model of the solution; the second is a dynamic one.
In this section, we describe several architectural patterns. For each we describe the
components and connections involved, give one or more usage examples, and discuss
advantages, disadvantages and other issues.
Layer n
Layer n - 1
The layers architectural pattern (see Figure 4.1) helps to structure applications that can
be decomposed into groups of subtasks, each of which is at a particular level of ab-
straction. Each layer provides services to the next higher layer. Services in a layer are
implemented using services from the next lower layer. Service requests are frequently
done by using synchronous procedure calls.
In short, this pattern means that conceptually different issues are implemented sepa-
rately, and that layers of a higher abstraction level use services of a lower abstraction
level, and not the other way around.
This pattern has the following benefits:
52
MODULE 4. ARCHITECTURAL PATTERNS
– A lower layer can be used by different higher layers. The TCP layer from TCP/IP
connections for instance, can be reused without changes by various applications
such as telnet or FTP.
– Layers make standardization easier: clearly defined and commonly accepted lev-
els of abstraction enable the development of standardized tasks and interfaces.
– Dependencies are kept local. When a layer shows the agreed interface to the
layer above, and expects the agreed interface of the layer below, changes can be
made within the layer without affecting other layers. This means a developer
can test particular layers independently of other layers, and can develop them
independently as well: development by teams is supported this way.
A result of the above is that layers may easily be replaced by a different implementa-
tion.
Provides miscellaneous
Application protocols for common
activities
Figure 4.2 depicts the ISO Open System Interconnect seven layer protocol (the ISO/OSI
protocol). TCP/IP is a simplified version of this protocol. FTP and HTTP are examples
from the application layer; TCP is the transport layer, and IP is the network layer.
Some other examples of this pattern are:
– In the Java virtual machine the application in Java consists of instructions for the
Java virtual machine; the JVM uses services from the operating system under-
neath.
– The standard C library is built on Unix system calls.
– Web application systems often show four or more layers: presentation, applica-
tion logic, domain logic, and data.
– The microkernel architecture has layers on top of the microkernel: The Mach
operating system, the JBoss application server and Apache Derby are examples
of the microkernel architecture.
Client
TCP/IP
Server
In the Client-server architectural pattern (see Figure 4.3), a server component provides
services to multiple client components. A client component requests services from the
server component. Servers are permanently active, listening for clients.
The requests are sent beyond process and machine boundaries. This means that some
inter-process communication mechanism must be used: clients and servers may reside
on different machines, and thus in different processes. In fact, you can see the Client-
server pattern as a form of the layered pattern, crossing process or machine boundaries:
clients form the higher level and the server forms the lower level.
54
MODULE 4. ARCHITECTURAL PATTERNS
Examples
Examples of the Client-server pattern are remote database access (client applications re-
quest services from a database server), remote file systems (client systems access files,
provided by the server system; applications access local and remote files in a transpar-
ent manner) or web-based applications (browsers request data from a web server).
Clients and servers are often involved in ‘sessions’. This can be done in two different
ways:
– With a stateless server, the session state is managed by the client. This client state
is sent with each request. In a web application, the session state may be stored as
URL parameters, in hidden form fields, or by using cookies. This is mandatory
for the REST architectural style [18] for web applications.
– With a stateful server, the session state is maintained by the server, and is associ-
ated with a client-id.
State in the Client-server pattern influences transactions, fault handling and scalability.
Transactions should be atomic, leave a consistent state, be isolated (not affected by
other requests) and durable. These properties are hard to obtain in a distributed world.
Concerning fault handling, state maintained by the client means for instance that ev-
erything will be lost when the client fails. Client-maintained state poses security issues
as well, because sensitive data must be sent to the server with each request. Scalability
issues may arise when you handle the server state in-memory: with many clients using
the server at the same time, many states have to be stored in memory at the same time
as well.
REST architecture
master
Client
service
splitWork
callSlaves
subService
subService
combineResults
Examples
An application area for the Master-slave pattern is fault tolerance: the master delegates
the job to be done to several slaves, receives their results, and applies a strategy to
decide which result to return to the client. One possible strategy is to choose the result
from the first slave that terminates. Another strategy is to choose the result that the
majority of slaves have computed. This is fail-proof with respect to slaves (the master
can provide a valid result as long as not all slaves fail), but not with respect to the
master. Failure of slaves may be detected by the master using time-outs. Failure of the
master means the system as a whole fails.
Another application area is parallel computing: the master divides a complex task into
a number of identical subtasks. An example is matrix computation: each row in the
product matrix can be computed by a separate slave.
56
MODULE 4. ARCHITECTURAL PATTERNS
The Pipe-filter architectural pattern (see Figure 4.6) provides a structure for systems that
produce a stream of data. Each processing step is encapsulated in a filter component (a
circle in Figure 4.6). Data is passed through pipes (the arrows between adjacent filters).
The pipes may be used for buffering or for synchronization.
Examples
Examples of the Pipe-filter pattern are Unix shell commands, such as:
This pattern divides the task of a system into several sequential processing steps. The
steps are connected by the data flow through the system: the output of a step is the
input for the next step. In the example, the cat filter reads the file and passes the
contents of the file to the grep filter. The grep filter selects lines containing xyz, and
passes these lines to the sort filter. The sort filter sorts the lines, and passes the
sorted lines to the uniq filter. The uniq filter removes duplicate lines, and passes the
result to out.
A filter consumes and delivers data incrementally (another name for the same concept
is lazily): it produces output as soon as it comes available, and does not wait until all
input is consumed.
Another example of the Pipe-filter pattern is formed by compilers. A lexical analyzer
analyses the source file and sends the resulting tokens to a parser, which sends the
resulting parse tree to a semantic analyzer, which produces an augmented syntax tree,
that is used by the code generator to produce code, which may be optimized, and
ultimately translated into machine code (there may be more or fewer steps involved).
Figure 4.7 shows the components of a compiler. In practice, compilers do not follow
the pattern strictly: the steps share global data (the symbol table).
Lexical
Interpreter
analysis
Parser Optimization
The Pipe-filter pattern has several nice properties, and some disadvantages. It is easy
to add new filters: a system built according to the pipe-filter pattern is easy to extend.
Filters are reusable: it is possible to build different pipelines by recombining a given set
of filters. Because of the standard interface, filters can easily be developed separately,
which is also an advantage. However, that same interface may be the cause of overhead
because of data transformation: when the input and the output have the form of a
string for instance, and filters are used to process real numbers, there is a lot of data-
transformation overhead.
Filters do not need to store intermediate results in files, and need not share state. Input
and output can come from, and go to different places. Another advantage of the Pipe-
filter pattern is that it shows natural concurrent processing, when input and output
consist of streams, and filters start computing when they receive data. Analysis of the
behavior of a pipe-filter-based system is easy, because it is a simple composition of the
behaviors of the filters involved. When the input is called x, the behavior of the first
filter is described by function g, and the behavior of the second filter is described by
function f, the result of the pipeline can be described as:
f(g(x))
58
MODULE 4. ARCHITECTURAL PATTERNS
components have to know each others’ location and other details (see Figure 4.8). A
broker component is responsible for the coordination of communication among com-
ponents: it forwards requests and transmits results and exceptions.
Servers publish their capabilities (services and characteristics) to a broker. Clients re-
quest a service from the broker, and the broker then redirects the client to a suitable
service from its registry.
Using the Broker pattern means that no other component than the broker needs to focus
on low-level interprocess-communication.
To give a textual description of the interfaces a server offers, an Interface Definition Lan-
guage (IDL) is used. Examples of IDLs are OMG-IDL (Object Management Group, for
CORBA), Open Service Interface Definitions, or WSDL (Web Service Description Lan-
guage).
Alternate software may use a binary standard, like Universal Network Objects for the
OpenOffice suit. Such a binary description consists of a repository which binds service
names to components. It allows clients to use components indirectly, using those ser-
vice names. A binary standard needs support from the programming language used.
Examples
UDDI registry
find
User
application
publish
invoke
(SOAP)
Web services
host
An example in which the Broker pattern is used is formed by web services. The Broker
pattern in a web services application, as shown in Figure 4.8, is the server with the
UDDI registry. UDDI stands for Universal Discovery, Description and Integration. It is
a repository of web services. The IDL used for web services is WSDL. SOAP (Simple
Object Access Protocol) is the transport protocol for messages, written in XML.
Another example of the Broker pattern is CORBA, for cooperation among heteroge-
neous object-oriented systems, and web services.
The Broker pattern allows dynamic change, addition, deletion and relocation of objects,
and it makes distribution transparent to the developer. It requires standardization of
service descriptions. When two brokers cooperate, bridges may be needed to hide
implementation details, as in Figure 4.9:
forward request
find server
pack data
forward message
unpack data
find service
Process boundary
Broker A receives an incoming request for a certain service. It locates the server re-
sponsible for executing the specified service by looking it up in the repositories. Since
the corresponding server is available at another network node, the broker forwards the
request to a remote broker. The message is passed from broker A to bridge A. This com-
ponent is responsible for converting the message from the protocol defined by broker
A, to a network-specific but common protocol understandable by the two participating
bridges. After message conversion, bridge A transmits the message to bridge B. Bridge
B maps the incoming request from the network-specific format to a broker B-specific
format. Broker B then performs all the actions necessary when a request arrives, as
described in the first step of the scenario.
Peer (client
and server)
Peer (client
and server)
The Peer-to-peer pattern can be seen as a symmetric Client-server pattern: peers may
function both as a client, requesting services from other peers, and as a server, provid-
ing services to other peers. A peer may act as a client or as a server or as both, and it
may change its role dynamically.
60
MODULE 4. ARCHITECTURAL PATTERNS
Both clients and servers in the Peer-to-peer pattern are typically multithreaded. The
services may be implicit (for instance through the use of a connecting stream) instead
of requested by invocation.
Peers acting as a server may inform peers acting as a client of certain events. Multiple
clients may have to be informed, for instance using an event-bus.
Examples
Examples of the Peer-to-peer pattern are the domain name system for internet, the
distributed search engine Sciencenet, multi-user applications like a drawing board, or
peer-to-peer file-sharing like Gnutella [52].
Source Source
Listener Listener
The Event-bus pattern is a pattern that deals with events. It works as follows: event
sources publish messages to particular channels on an event bus. Event listeners sub-
scribe to particular channels. Listeners are notified of messages that are published to a
channel to which they have subscribed.
Generation and notification of messages is asynchronous: an event source just gener-
ates a message and may go on doing something else; it does not wait until all event
listeners have received the message.
Channels may be implicit, for instance using the event pattern, implemented in the
Java event model. An explicit channel means that a subscriber subscribes directly at
specific named publisher; an implicit channel means that a subscriber subscribes to a
specific named channel (to a particular event type in the Java event model), and does
not need to know which producers produce for that channel.
Examples
Event bus
Unit test
Edit tool Build tool Debug tool
runner
The Event-bus pattern is used in process monitoring, in trading systems, and in soft-
ware development environments as is shown in Figure 4.12. Another example is real-
time data distribution middleware, like OpenSplice [40].
The Event-bus pattern has the following characteristics. New publishers, subscribers
and connections can be added easily, possibly dynamically. Delivery issues are impor-
tant: for the developer of an event listener, it is important to realize that assumptions
about ordering, distribution, and timeliness are hard to make. Also, scalability may be
a problem, as all messages travel through the same event bus: with an increase of the
number of messages, the capacity of the event bus may become the bottleneck.
The Event-bus pattern also allows several variations. The bus can provide event trans-
formation services, for instance, or the bus can provide coordination, to script specific
tasks.
input
events view control
Controller View
change
notification
update query
model model
Model
In the Model-View-Controller pattern, or MVC pattern (see Figure 4.13), an interactive ap-
plication is divided into three parts: the model contains the core functionality and data,
the view displays the information to the user (more than one view may be defined), and
the controller handles the input from the user.
The MVC pattern is particularly suitable for multiple graphical user interfaces (GUIs).
The model does not depend on the number and kind of GUIs, so the pattern allows for
easy changes to the “look and feel”.
Consistency between model and view is maintained through notification. The MVC
pattern often uses the observer design pattern. User input can invoke a change in the
model, and a subsequent change in what the view displays, as is shown in the sequence
diagram of the MVC pattern in Figure 4.14.
62
MODULE 4. ARCHITECTURAL PATTERNS
handle event
update model
notify
update view
query model
display
Examples
The MVC pattern was introduced with the Smalltalk programming language. It was
called a paradigm then: the concept of pattern did not exist.
Examples of the MVC pattern are web presentation (see the module on enterprise ap-
plication architecture), and the document-view architecture of Windows applications,
which enables users to see for instance OpenOffice Writer or Impress documents in
different views (think of print layout, web layout, overview).
The MVC pattern makes it easy to have multiple views of the same model, which can
be connected and disconnected at run-time. It is possible to base an application frame-
work on this pattern. Smalltalk development environments already did this.
However, the MVC pattern increases complexity. Not all visible elements lend them-
selves for separation of model, views and control: menus and simple text elements may
be better off without the pattern. Also, the pattern potentially leads to many unneces-
sary updates, when one user action results in different updates.
View and control are separated, but are very closely related. In practice, they are often
put together. Views and controllers are also closely coupled to the model. In web
applications, a change in the model (for instance adding an e-mail address to data
about persons) will lead to a change in the view and controller as well (the web site
will have to show the property, and the possibility to change the property should be
added as well).
The Blackboard pattern is useful for problems for which no deterministic solution strate-
gies are known. Several specialized subsystems assemble their knowledge to build a
possibly partial or approximate solution.
All components have access to a shared data store, the blackboard. Components may
produce new data objects that are added to the blackboard. Components look for par-
ticular kinds of data on the blackboard, and may find these by pattern matching.
KnowledgeSource
1..*
updateBlackboard()
1..*
1 1
Blackboard Control
solutions loop()
nextSource()
inspect()
update()
Examples
Examples of problems in which the Blackboard pattern can be usefully applied are
speech recognition, submarine detection, or inference of the 3D structure of a molecule.
Tuple Space systems, like JavaSpaces, form another example of this pattern.
Adding new applications is easy. Extending the structure of the data space is easy as
well, but modifying the structure of the data space is hard, as all applications are af-
fected. Furthermore, processes have to agree on the structure of the shared data space.
There may be a need for synchronization and access control.
The Interpreter pattern is used for designing a component that interprets programs writ-
ten in a dedicated language. The interpreted program can be replaced easily.
Examples
Examples of the interpreter pattern are rule-based systems like expert systems, web
scripting languages like JavaScript (client-side) or PHP (server-side), and Postscript.
64
MODULE 4. ARCHITECTURAL PATTERNS
Patterns have been developed bottom-up: for a given problem, a certain kind of solu-
tion has been used over and over again, and this solution has been written down in the
form of a pattern.
Architectural styles on the other hand, have been formulated top-down: when you see
a software system as a configuration of components and connectors, you can classify
them according to the nature of the components and connectors. In general, patterns
will belong to one of those styles.
Mary Shaw and Paul Clements have proposed a classification of styles [47], based on
the constituent parts (components and connectors), control issues and data issues. This
classification is as follows:
– Interacting processes have their own thread of control. Communication may have
the form of asynchronous message passing, implicit invocation through events,
or remote procedure calls. When the Event bus pattern is implemented with in-
dependent processes or with objects with their own thread of control, this pattern
is an example of this style. The Client-server pattern and Peer-to-peer pattern are
examples as well.
– In the Dataflow style, data flows from one component to another, in a stream. A
pattern that belongs to this style is the Pipe-filter pattern. Some instances of the
Client-server pattern also belong to this style, for instance when a client is used
to receive and display streaming audio or video sent by a server.
– The Data centered style means that data is stored centrally. An example of this
style is the Blackboard pattern. Again, instances of the Client-server pattern may
belong to this style, when the main function of the server is to manage a database,
and clients are used to access that database.
– In the Hierarchical style, the system is partitioned into subsystems with limited
interaction. Patterns within this style are the Interpreter and the Layers pattern.
– The Call and return style has the calling process wait for the return of request. Pat-
terns within this style are the Master-slave and, again, the Layers pattern. Object-
oriented systems without threads are also an example of this style.
Main
input output
file file
line-table index index-2
Traditionally, the KWIC problem is solved using shared data and functional decompo-
sition. Figure 4.16 is a Yourdon structure chart [56] for the classical solution to the KWIC
problem. The processing elements are subroutines, and an arrow means an invocation.
The small arrows show which data is added to the shared data.
The Main subroutine invokes functions. The first invoked function reads the input file,
and adds a table of lines to the shared data. The second function performs the circular
shift, and adds the various shifted lines to the shared data (as a series of indexes to
indicate the order). The third function then sorts all these lines, and adds the resulting
lines to the shared data (once again using indexes). The last invoked function writes
the result to an output file.
Main
An alternate solution to the KWIC problem uses the Layers pattern. In Figure 4.17, the
elements are objects, and the arrows denote method calls. No data is shared: commu-
nication of data is done through method calls only.
The advantage of this solution is that the data is hidden inside the objects, which means
that choices for data structures and algorithms are encapsulated in specific compo-
nents, and may therefore be more easily changed, by keeping the abstract interfaces as
they are.
The organization in layers is based on objects only calling methods from objects in the
same layer or in the layer directly beneath them.
66
MODULE 4. ARCHITECTURAL PATTERNS
Bus
4.4.3 Event-bus
Another solution to the KWIC problem uses the Event-bus architecture. Components
that are interested in certain events are notified when those events become available.
That means that components are called implicitly.
Figure 4.18 is a dataflow diagram [57]. Elements are processes, and the arrows are data
in transfer between processes. The shifter will be invoked after the input process has
inserted the first line. Data should be shared between the input process and the circular
shift, and among the circular shift, the sorter and the output process. The sorter is
invoked each time the circular shifter has inserted a line in their shared data.
This solution does not offer the advantages of data hiding of the previous solution,
but it can be quicker because there may be parallelism. However, it is a complicated
solution, with two shared data spaces and an event bus.
4.4.4 Pipe-filter
Yet another possible solution to the KWIC problem uses the Pipe-filter pattern. In this
case a chain of transformers is constructed. We need a uniform data format to do that.
The same amount of parallelism as has been achieved in the event bus solution is pos-
sible here, in a less complicated system.
The same amount of data hiding as in the layered object-oriented solution is possible,
with the only drawback that there is a uniform data format for the pipes. This makes
the filters easier to work with, but when different data structures are chosen inside the
filters, there may be overhead because of translation between different data structures.
DISCUSSION QUESTIONS
1. In the previous module, we introduced the name tactic for an architectural de-
cision that influences the quality of the product. Architectural patterns can be
viewed as being constructed from tactics. Can you give some examples?
2. Once a pattern has been used in an architectural design, the reason for its use
may be forgotten and over time the design may start to diverge from the pattern.
Do you think this should be prevented? If so, how?
3. Design patterns often represent crosscutting concerns that can be implemented
using aspect-oriented programming or program transformation techniques. Is
the same true of architectural patterns?
4. In [8], the architecture of Linux is distilled from the source code. Do you recognize
patterns or styles in this architecture?
68
Module 5
INTRODUCTION
Enterprise applications are software applications that perform business functions such
as accounting, production scheduling, customer information tracking, bank account
maintenance and the like. These applications are almost always hosted on servers, and
are used by multiple employees of the same organization, and sometimes by customers
as well.
Major subcategories of enterprise applications include enterprise resource planning,
customer relationship management, and supply chain management. Other categories
supply operations specific to the users’ industry, for example banking, insurance, uni-
versities, hospital management, or civilian government.
Enterprise applications have similar architectural characteristics. In this module, we
discuss these characteristics, and patterns for enterprise applications.
LEARNING OBJECTIVES
After having studied this module you should be able to:
– explain the characteristics of enterprise applications,
– describe problems in each of the three layers of enterprise applications,
– describe patterns to solve those problems,
– explain the advantages and the disadvantages of those patterns.
70
MODULE 5. PATTERNS FOR ENTERPRISE APPLICATIONS
5.1.1 Examples
Our first example of an enterprise application is a Business to Consumer (B2C) online
retailer, a business that sells goods to customers over the internet. Amazon.com, the
online bookseller that launched its site in 1995, is a well-known example of a B2C online
retailer. The major characteristic of this kind of application is the high volume of users.
That is why scalability is a high priority requirement for such a system. An application
for a B2C online retailer must be easily scalable by adding additional hardware. The
user interface of such applications has the form of a web presentation: everyone should
be able to access the application.
Our second example is an application to process lease agreements. A lease agreement
may concern renting buildings, cars or equipment, over a long period of time, espe-
cially for business use. This kind of application serves fewer users than an application
for a B2C online retailer does, has more complicated business logic (transactions may
take hours, for instance), and requires sophisticated presentation, often in the form of
a rich client (as opposed to a web-based user interface).
Our third example is an application for expense tracking for a small company. Such an
application has just a few users. Its business logic is simple. An important requirement
for such an application is that it should be easily and quickly adjustable, according
to the development of the company. Reusing the architecture and the development
methods of the two examples above would slow down the development of such a ap-
plication.
principal layers:
– The presentation logic layer is responsible for the interaction with the user. A
command-line interface may be used, but in most cases the interface is a rich
client or a web interface.
– The domain logic layer contains the main functionality of the system. Here, input
is validated and results are calculated. This layer is often structured with objects
that model real-world concepts.
– The data source logic layer implements the communication of the domain logic layer
with a database, with messaging systems or with other applications.
An example of an architecture with these three layers is the Java EE multi-tier archi-
tecture. Figure 5.1 shows four tiers on three machines. The difference between the
concepts of tier and layer is that a layer is concerned with the logical separation of func-
tionality, whereas a tier is concerned with the physical separation of functionality. In
this example, the web tier and business tier may run on two different machines; in this
case, they run on the same machine.
The client tier runs on the client machine, the web tier and the business tier on the Java
EE server machine, and the EIS tier on the database server machine. The client tier and
the web tier together form the presentation layer. The business tier contains the domain
logic and the datasource logic; the EIS tier contains the data that the data source tier
makes available.
The presentation logic in the Java EE architecture may be implemented using servlets
and JSP (JavaServer Pages), applets, JavaScript and Java applications (rich clients); the
business logic and the data source logic are implemented by Enterprise JavaBeans.
– Servlets contain Java code to generate HTML, similar to CGI (Common Gateway
Interface) scripts. Servlets all run in the same JVM (Java Virtual Machine) which
eliminates startup costs (CGI scripts run as separate processes, and thus incur
startup costs).
– JavaServer Pages (JSP) are similar to PHP pages: JSP pages contain code embedded
in HTML. Neither servlets nor JSP clearly separate HTML and logic. The logic
might be restricted to variables, but often the logic needs repetition or choice as
well. This results in pages with scripts and HTML entangled.
72
MODULE 5. PATTERNS FOR ENTERPRISE APPLICATIONS
– Enterprise JavaBeans (EJB) are reusable components. They may be used for entities
(for instance database objects) as well as for sessions (the process of communi-
cation with a client). They are inherently distributed: communication is done
through the Java Remote Method Invocation (RMI) system or through CORBA.
An EJB server provides an environment that supports the execution of applications de-
veloped with EJB components. It manages and coordinates the allocation of resources
to the applications. Enterprise beans typically contain the business logic for a Java EE
application.
An EJB server (like JBoss) provides one or more EJB containers (Figure 5.2). An EJB
container manages the enterprise beans contained within it. For each enterprise bean,
the container is responsible for registering the component, providing a remote interface
for the component, creating and destroying component instances, checking security
for the component, managing the active state for the component, and coordinating
distributed transactions. Optionally, the container can also manage all persistent data
within the components.
Each layer of an enterprise application has its own problems, and patterns to solve
them. We discuss the problems and the patterns by layer. The patterns are all described
in detail in [19]
The Transaction script pattern simply uses a single procedure for each action that a user
may want to do, such as Book a hotel room. An action may be as simple as viewing
some information in a particular way, or as complicated as making several changes in
A domain model is an object oriented class model of a domain that incorporates both be-
havior and data. A domain model should be independent of other layers. It is therefore
usually easy to develop and test in isolation.
A domain model differs from a database model. Within a domain model, you may
make use of inheritance and of design patterns. Attributes within a class may be ob-
jects themselves, and behavior is an integral part of the model. Therefore, it is hard
to map a domain model to a database. Another disadvantage is the risk that data and
responsibility needed for single use cases lead to a bloated model.
A table module is a single instance that handles the business logic for all rows in a
database table or view. The traditional object-oriented approach is based on objects
with identity, along the lines of a domain model. Thus, if we have an Employee class,
any instance of it corresponds to a particular employee.
A table module organizes domain logic with one class per table in the database, and a
single instance of a class contains the various procedures that will act on the data. The
primary distinction with domain models is that, if you have many orders, a domain
model will have one order object per order while a table module will have one object
to handle all orders.
The Domain model and Table module patterns are similar in that data and behavior
are packed together; the difference is in what an instance stands for: one object with
identity in the domain model pattern; all rows in a database table (translated to an
object model, every row would be translated in a single object) for the table module
pattern.
A mapping from this pattern to a database is very easy. Disadvantages are that direct
instance-to-instance relationships are not possible. For instance, when a row within a
table represents a person, relations between persons are not possible within the table
module pattern. Inheritance is only possible between tables; not between rows of a
table. Because the rows correspond with the objects in the domain that we model, it
will, in general, not be possible to use design patterns with this pattern, in contrast
to the domain model pattern. So, for complicated domain logic, the domain model
pattern works better.
An example of this pattern can be found in Microsoft COM and .NET applications,
where the record set is the primary repository of data in an application, which can be
passed directly to the user interface.
74
MODULE 5. PATTERNS FOR ENTERPRISE APPLICATIONS
As long as they are not temporary, attributes of a class may be mapped to columns in a
table. In principle, each class maps to a table.
����� �����
� �
����� �����
������� �������
������ ������
��� ���
����� ��������
�����
In Figure 5.3, class Album holds multiple references to objects of class Track. In the
database, this is reversed: class Album is mapped to a table Album, with columns key
and title. Class Track is mapped to a table with columns key and title. In the
class diagram, Album has an attribute tracks that points to a collection of Tracks.
Such an attribute cannot be mapped to a column of table Album. Instead, table Track
gets a third column, albumkey. To see the tracks belong to a certain Album, we first
need the key of that Album, and then we do a query on the Track table, to get all
Tracks that have that specific albumkey.
Figure 5.4 shows two classes: Employee and Skill, related through a many-to-many
association. The class Employee is mapped to a table with at least a column for the key.
The class Skill is mapped to a table in the same way. To establish the relationship,
we need a third table, with a key, an employeekey and a skillkey as columns. To
� �
�������� �����
find all skills of a certain Employee, we first look up the key of that Employee, then
do a query on the Skill-Employees table to get all rows with that employeekey,
and then we do queries on the Skills table to find the skills that are pointed to by the
skillkeys we have found.
To find all Employees with a certain skill, we do the same, the other way around. This
is the association table mapping pattern.
�
���
�
���������� �����
������
�
Within the Record set pattern (Figure 5.5), you use an in-memory representation of tab-
ular data. In general, record set objects are provided by your software platform (for
instance, the row sets of JDBC). To get data from this, you usually have to invoke a
generic method with a (String) argument to indicate which field you want. Record sets
are easily manipulated by domain logic when you use the table module pattern.
76
MODULE 5. PATTERNS FOR ENTERPRISE APPLICATIONS
��������
�����
A table gateway is a gateway that holds all the code for accessing a single table or view.
The table gateway may return the information in different forms:
– in a single data structure (for instance a Map). The disadvantage is that this does
not allow compile time checking.
– in a record set, as provided by the platform (see the record set pattern above).
This works well with the table module pattern in the domain logic layer.
– in a domain object from the domain model. This solution forces bidirectional
dependency, which is a disadvantage, because either the domain model will be
structured as the database, or the other way around. The Data mapper pattern
(discussed below) provides a better solution for the domain model pattern.
��������
�����
������ ������������
��������
���������
������������������
������
������������
������
�����������������
������
������������������
use it), which is an advantage. As Figure 5.9 shows, the mapper first checks if the
domain object is already loaded. If not, it accesses the database, extracts the relevant
information, and creates the desired object. A problem is that objects are often interre-
lated; you have to stop pulling data back at some point. In this case, you may use the
Lazy load pattern, that does just what the name suggests.
find(93)
get(93)
null
«SQL»
: RecordSet
new
: Person
78
MODULE 5. PATTERNS FOR ENTERPRISE APPLICATIONS
Server-side scripts
Scripts are programs in a general high-level programming language, that are inter-
preted on the server. A script may get data from parsing the HTTP request. It will
do some logic operations (often involving the logic layer), and generates HTML that is
sent back to the client.
An example of scripts on the server is formed by Common Gateway Interface (CGI)
scripts. They can be written in various languages. Perl is a popular language for CGI
scripts, because of the ease of regular-expression parsing. Another example is formed
by Java servlets. Servlets run as threads in one JVM, as we have said. Parsing of the
HTTP request is automated. The output (HTML) is generated with normal output
stream operators, which means that coding servlets is easy for any Java programmer.
However, web presentation is often the responsibility of graphical designers, and they
do not always have the programming skills to construct servlets (or other scripts).
As a side note, server scripts are not to be confused with client-side scripts, that may
be embedded in an HTML page. We will discuss those later.
Server pages
<html>
<body>
<%! S u b j e c t s s = new S u b j e c t s ( ) ; %>
C l i c k on any o f t h e s e s u b j e c t s :
<%
I t e r a t o r a l l = s . getAll ( ) ;
while ( a l l . hasNext ( ) )
{ S t r i n g Url = ( S t r i n g ) a l l . ne xt ( ) ;
%>
<p>
<a h r e f = " h t t p ://<%= Url %>. j s p " >
<%= Url%>
</a>
</p>
<%}%>
</body>
</html>
Server pages are pages written in HTML interspersed with code fragments, scriptlets
(see Figure 5.10). These code fragments are interpreted on the server, and will output
something that fits in the HTML code around it.
The advantage over servlets is that it is easier to see how the resulting HTML page
will look. The server pages technique works best if the results involved need little
processing. Examples of server pages are PHP (Hypertext Preprocessor), ASP (Active
server pages) and JSP (Java server pages).
In both techniques (scripts and server pages), logic and view (in the form of HTML)
tends to get tangled: in scripts, you have to follow the print-statements to see what
HTML is produced, whereas in server pages, you have to follow the scriptlets to see
what logic is involved. Several patterns help tackle this problem in the presentation
layer.
Model-view-controller pattern
This is the same pattern that has been discussed in the module about architectural
patterns. Here it is applied to web presentation.
– The model represents information about the domain. In enterprise applications,
the logic layer is responsible for the model, usually using a domain model.
– The view is a display of the model in the user interface. In web presentations, the
view is an HTML page, generated or static.
– The word controller has many interpretations, which has lead to many misunder-
standings of the Model-View-Controller pattern. It would be better to use the
word input controller: the controller takes input, forwards it to the model, which
may change as a reaction, and causes the view to be updated.
In standalone applications, the separation of view and controller is usually neglected.
In web applications, it is useful to use a script (a servlet for instance) for input interpre-
tation, and a server page for response formatting.
Page controller
�����
���������������
��������������
������������������
�������
���������������
�����������������
���
����
��������������
A page controller is an object that handles an action initiated on a specific web site, with
one controller per page. The web server receives HTTP requests (both GET and PUT
requests: the difference is that GET requests consist of a URL, sometimes followed by
parameters, whereas a PUT request consists of a URL and a separate ‘package’ of data),
and passes control to the page controller. The page controller inspects the URL and the
data, and decides what to do: data will be carried over to the model, which will process
them, and the results will be passed to a script or server page in the view, that will show
the results in a page. An alternative to page controller is a front controller, which handles
all requests for an entire web site.
As in the MVC pattern, the page controller is often a servlet, although the view is
implemented by server pages. The responsibilities of the page controller are:
– Decode the HTTP request and extract (form) data.
– Create and invoke model objects to process the data.
– Notify the appropriate view of the resultant changes in the model.
Figure 5.12 shows a servlet functioning as a page controller. The method
doGet(HttpServletRequest, HttpServletResponse)
80
MODULE 5. PATTERNS FOR ENTERPRISE APPLICATIONS
class ArtistController
extends j a v a x . s e r v l e t . h t t p . H t t p S e r v l e t
{ ...
public void doGet
( H t t p S e r v l e t R e q u e s t r e q u e s t , H t t p S e r v l e t R e s p o n s e res ponse )
throws IOException , S e r v l e t E x c e p t i o n
{ Artist artist =
A r t i s t . findNamed ( r e q u e s t . getParame ter ( " name " ) ) ;
i f ( a r t i s t == n u l l )
forward ( " / M i s s i n g A r t i s t E r r o r . j s p " , r e q u e s t , response ) ;
else
{ request . setAttr ibute
( " h e l p e r " , new A r t i s t H e l p e r ( a r t i s t ) ) ;
forward ( " / a r t i s t . j s p " , r e q u e s t , re sponse ) ;
}
}
}
}
in a superclass for all page controllers. It is supposed to forward the result to the ap-
propriate view to display the result. The server page artist.jsp is an example of a
template view with a helper object, which will be explained below.
class ArtistHelper
{
private Artist a r t i s t ;
...
public S t r i n g getAlbumList ( )
{
S t r i n g B u f f e r r e s u l t = new S t r i n g B u f f e r ( ) ;
r e s u l t . append ( " <ul > " ) ;
f o r ( I t e r a t o r i = a r t i s t . getAlbums ( ) . i t e r a t o r ( ) ; i . hasNext ( ) ; )
{ Album album = ( Album ) i . next ( ) ;
r e s u l t . append ( " < l i > " ) ;
r e s u l t . append ( album . g e t T i t l e ( ) ) ;
r e s u l t . append ( " </ l i > " ) ;
}
r e s u l t . append ( " </ul > " ) ;
}
}
Using helper objects is much cleaner than embedding the repetition in the server page
as shown in Figure 5.10. With helper objects, the server page only has to contain a single
method call (as a Java expression, not a scattering of code fragments). The helper class
does contain a little HTML, but only for formatting purposes.
82
MODULE 5. PATTERNS FOR ENTERPRISE APPLICATIONS
In the Transform view pattern, domain data is processed element by element, and trans-
formed into HTML. Where a template view is organized around the form of the output,
a transform view is organized around the separate transforms for different elements.
In Figure 5.14, every time a tag album is encountered in the xml snippet on the left,
HTML tags for html and body are written as is specified in the xslt snippet on the right,
the transforming process goes on, and when done, the end tags are written. Every time
a tag title is encountered within an album, a H1 HTML tag is written, the title is
written, and the H1 endtag is written.
In implementations of this pattern, the domain data is most often encoded in XML,
and the transformation is most often done using XSLT (Extensible Stylesheet Language
Transformation), a functional language for presenting XML data in HTML form, or any
other form. Several API’s have the possibility to present the result of the domain logic
as XML, e.g. JAXB. The XML is domain oriented; in the XSLT we decide the form the
output takes as a web page.
The Transform view pattern avoids two of the biggest problems with template view:
The transform is focused on rendering HTML and avoids mingling this with domain
logic, as is often the case within the Template view pattern. Furthermore, it is easy to
run the transform view and capture the output for testing, while the template view can
only be tested on a web server.
There are several techniques to provide a richer user experience than is possible with
plain (static or server-generated) HTML.
Java applets
Java applets are Java programs that run within the browser. The advantages are that
they may provide the look and feel of a rich client within the browser, and that you
have the full power of Java. Security issues are solved: applets run within a sandbox,
imposing strict limitations on access to system resources.
Disadvantages are that applets require the browser to have the right version of Java,
and that there is no cooperation from e.g. Microsoft Internet Explorer: users must then
install Java separately to be able to make use of applets.
Canvas
The HTML5 Canvas element makes it possible to draw, using a script language such
as JavaScript, in that element on the webpage.It is possible to add events handlers to
areas in the drawing, which makes it possible to create graphical applications with
interaction.
Advantages are that it makes highly dynamic pages possible, that no plugin is required,
and that it works with every modern browser.
A disadvantage is that it needs JavaScript programmer skills to develop an applica-
tion. There are libraries available, but one needs to be an experienced JavaScript pro-
grammer to work with the HTML5 canvas element. An authoring environment for
non-programmers (still) lacks.
DHTML
DHTML stands for Dynamic HTML. It consists of the combination of HTML, CSS,
JavaScript and the DOM.
– HTML is the markup language for web pages.
– CSS (Cascading Style Sheets) makes it possible to inform the browser about styles
(color, font, width of elements, etc) to use for HTML elements.
– DOM stands for Document Object Model. Using the DOM, a web page is rep-
resented as an object, and each element of the page can be accessed separately.
Accessing elements of a page can be done using client-side scripting, for instance
using JavaScript.
Using DHTML, it is possible to dynamically change style properties of a certain ele-
ment of a page (for instance by making elements visible or invisible). Such changes
may be done as a reaction to input from the user (from the mouse or the keyboard)
or changes may be timed. Because the scripts are interpreted by the browser, there
is no need to communicate with the web server. Using the canvas element to create
graphical, interactive programs, is a specialized example of DHTML.
The advantage of DHTML is that it requires no plugin, and that it works within ev-
ery (new) browser (unless the user has disabled JavaScript). Disadvantages are that
older browsers may support different versions of JavaScript, that different browsers
have different interpretations of the Document Object Model, and may also differ in
their support for CSS. Support is getting better with each new version of browsers,
fortunately.
XML derivatives
Several XML derivatives exist, such as:
– XUL (XML User Interface Language), for Firefox,
– XAML (eXtensible Application Markup Language), for Microsoft Windows Vista,
– MXML (Maximum eXperience Markup Language), for Macromedia Flex + Ac-
tionScript,
– XAMJ: open-source alternative to XAML, based on Java (clientlet architecture).
The disadvantages are obvious: at this moment, there is no standardization between
browsers.
Ajax
Ajax is an acronym for Asynchronous JavaScript And XML. It was first introduced by
James Garrett of Adaptive Path in 2005 [21]. Ajax is based on the XMLHttpRequest
object, which is not standardized, but implemented similarly in Internet Explorer,
Firefox, Mozilla, Safari, Opera, Konqueror, etc.
The general idea of Ajax is to enhance the responsiveness of web pages. Instead of
getting a whole new page after some action of the user (with the corresponding wait
time), an XMLHttpRequest is sent to the server. The server responds by sending back
data (for instance encoded in XML), which are placed on the page by JavaScript (by
accessing the DOM), without a page reload.
Advantages are that it requires no plugin, only JavaScript in the browser, and that it
works with arbitrary server-side techniques. Disadvantages are that it is easy to violate
user’s expectations about the behavior of web applications. It is possible to implement
the functionality of the “Back” key for instance, but the developer has to implement it
explicitly. Many Ajax sites therefore do not react to the Back key as the user expects.
Well-known examples of the use of Ajax are Google’s applications (GMail, Google
maps), Flickr or Amazon.
84
MODULE 5. PATTERNS FOR ENTERPRISE APPLICATIONS
5.3.2 Transactions
A transaction is a bounded sequence of work with well-defined begin and end points.
Software transactions should be ACID: atomic, consistent, isolated and durable.
– Atomic means that every step must complete successfully within the bounds of
the transaction or all work must roll back.
– Consistent means that the system must be in a non-corrupt state between transac-
tions.
– The transactions are isolated when the results of a transaction in progress are not
visible until it commits successfully.
– The transactions are durable when the results of a committed transaction are per-
manent, i.e. survive a crash of any sort.
The SQL standard defines several levels of transaction isolation. Several problems may
occur in concurrent transactions. The highest level of isolation avoids them all; the
lowest level of isolation allows them all. The problems that may occur are:
– Dirty Read: A session reads rows changed by transactions in other sessions that
have not been committed. If the other session then rolls back its transaction,
subsequent reads of the same rows will find column values returned to previ-
ous values, deleted rows reappearing and rows inserted by the other transaction
missing.
– Non-repeatable Read: A session reads a row in a transaction. Another session then
changes the row (Update or Delete) and commits its transaction. If the first ses-
sion subsequently re-reads the row in the same transaction, it will see the change.
– Phantoms: A session reads a set of rows in a transaction that satisfies a search con-
dition (which might be all rows). Another session then generates a row (Insert)
that satisfies the search condition and commits its transaction. If the first session
subsequently repeats the search in the same transaction, it will see the new row.
The Client session state pattern stores the session state on the client. This is easy within
a rich client application. For HTML interfaces, three common ways to store the session
state are:
– URL parameters: The session state is kept as parameters in the URL, which means
that the server receives the session state with each HTTP-request. Links on a
respond page take the session state as a parameter. Such a URL looks like:
http://www.barnesandnoble.com/index.asp?userid=uF7IWlCAnh
– Hidden fields: Hidden fields in a form are similar to text fields, with the difference
that they not show on the page. Information can be stored in a hidden field on the
page, and will be sent back to the server together with the information that the
user has entered in the form. A disadvantage is that they are not secure: anyone
can look at the data by looking at the source of the page.
– Cookies: A cookie is a message given to a web browser by a web server. The
browser stores the message in a text file. The message is sent back to the server
each time the browser requests a page from the server. The main purpose of
cookies is to identify users and possibly prepare customized web pages for them.
When you enter a web site using cookies, you may be asked to fill out a form pro-
viding such information as your name and interests. This information is pack-
aged into a cookie and sent to your web browser which stores it for later use. The
next time you go to the same web site, your browser will send the cookie to the
web server.
The name cookie derives from UNIX objects called magic cookies. These are tokens
that are attached to a user or program and change depending on the areas entered by
the user or program. Both URL’s and cookies have size limitations.
86
MODULE 5. PATTERNS FOR ENTERPRISE APPLICATIONS
�������
��������������
�����������
���������
�������������� ��������
������������������������������� �����������������
�������������
�����������
ponent for customers, a component for orders and a component for deliveries) on dif-
ferent machines, because remote procedure calls are orders of magnitude slower then
local procedure calls.
A local interface must be fine-grained to take advantage of object oriented principles
like overriding and delegation. A remote interface is optimized not for flexibility and
extensibility but for minimizing the number of calls that are necessary. Therefore you
cannot take a component designed to work as a single process and put it on a remote
machine. One effective use of multiple processors is clustering: run multiple copies of
an entire subsystem on various nodes. Let the subsystem have a course-grained façade
and minimal communication with the rest of the system. That is what the Remote
Façade pattern does.
The Remote façade pattern is an instance of the Façade design pattern. It provides a
course-grained façade on fine-grained objects to improve efficiency over a network.
The fine-grained objects contain the domain logic. Remote façade replaces all the get-
ters and setters of the individual objects by a bulk access method, as is shown in Fig-
ure 5.15.
In Figure 5.15, the remote façade corresponds to a single domain object. More often, the
façade combines data from several different objects. You may have different façades
for different clients. The façade’s methods form a natural point to enforce security.
Otherwise, it’s a thin skin with no responsibility or domain logic of its own.
DISCUSSION QUESTIONS
1. How would you decide among the various patterns handling a similar problem,
e.g. among the Transaction script pattern, the Domain model pattern and the
Table module pattern?
2. Do you favor server-side presentation (as in the Template view pattern) or client-
side presentation (as in Ajax)? What arguments could decide the choice?
3. Should a source code repository use optimistic or pessimistic locking? Why?
INTRODUCTION
LEARNING OBJECTIVES
After having studied this module you should be able to:
– explain the requirements for the integration of enterprise applications,
– describe different patterns to integrate applications while introducing
or maintaining loose coupling,
– discuss the advantages and disadvantages of patterns for enterprise
application integration.
88
MODULE 6. PATTERNS FOR ENTERPRISE APPLICATION INTEGRATION
1. Information portals aggregate information from multiple sources into a single dis-
play. Many business users have to access more than one system to answer a
specific question. Simple information portals divide the screen into multiple
zones. Sophisticated information portals provide interaction between zones so
that changes in one zone affect another.
2. Data replication. Many systems require access to the same information. For exam-
ple, a customers address may be used in the customer care system (when the cus-
tomer calls to change it) and in the shipping system (to label the shipment). Both
systems have their own data stores to store the customer related information.
When a customer calls a change his address, all these systems need to change
their copy of the customers address. Data replication means distributing changes
across the data stores of all systems.
3. Shared business functions. Applications tend to implement redundant function-
ality. For example, multiple systems may need to check whether the address
matches the specified postal code. It makes sense to expose these functions as a
90
MODULE 6. PATTERNS FOR ENTERPRISE APPLICATION INTEGRATION
• The integration method works only for byte streams: that is why we need the
BitConverter class. The internal representation of a data type varies across
systems (an integer may be 32 bits in one programming platform, but may be 16
or 64 in other systems).
• The protocol relies on a strict data format. In the example we send two parame-
ters: the amount of bytes and the receiver’s name. We cannot add more parame-
ters without modifying both sender and receiver.
– remove assumptions about data format by allowing for transformation inside the
channel,
– and when the strategies above result in code that is becoming too complex, intro-
duce message-oriented middleware.
92
MODULE 6. PATTERNS FOR ENTERPRISE APPLICATION INTEGRATION
data flow diagram of this pattern (with a “file” symbol borrowed from flow charting,
not UML). When the pattern is used, then:
– Each application produces files that contain the information the others must con-
sume;
– Integrators take the responsibility of transforming files into different formats;
– The applications produce files at regular intervals according to the nature of the
business.
F ile
A p p A E x p o rt Im p o rt A p p B
When using the File transfer pattern, the developers must agree on, and provide
– File-naming conventions;
– Directories for file storage;
– A strategy to keep file names unique;
– The responsibility for deleting old files;
– Locking mechanism.
A component of this integration pattern gets the responsibility for deletion of old files.
It must also be informed by the sender side when a file is old. Both sides must agree
beforehand on the criterion.
The pattern implements a locking mechanism to ensure that one application is not try-
ing to read the file while another is still writing it. The locking mechanism may be
replaced by timing conventions.
With more frequent updates, the File transfer pattern resembles the Messaging pat-
tern (discussed in Section 6.3.4). The remaining problem is managing all the files that
get produced, ensuring that they are all read and that none of them get lost. Also pro-
cessing files tends to have a high overhead, so it is better to have specialized support.
Advantages
The advantages of this pattern are the following:
– integrators need no knowledge of the internals of an application;
– no tools or integration packages are needed.
Disadvantages
The systems integrated using the File transfer pattern can easily get out of sync. Some-
times this is not a big deal: if you change your address, you expect mail to arrive at the
old address for some days or even weeks. But sometimes it is really important (think of
airline reservations), and in that case file transfer is not the obvious choice. A strategy
must be chosen for resolving inconsistent changes.
Another example, a customer management system can process a change of address and
produce an extract file each night, but the billing system may send the bill to an old
address on the same day. This can lead to inconsistencies that are difficult to resolve.
Organizations should have strategies for resolving inconsistent changes. The longer
the period between file transfers, the more likely the inconsistencies can become. The
File transfer pattern is not suitable when everyone must have the latest data in an en-
terprise. Even with rapid updates of files, the inconsistencies remain a problem of the
File transfer pattern.
The File transfer pattern may not enforce data format sufficiently. Many integration
problems come from incompatible ways of looking at the data. This causes the so
called semantic dissonance that cannot be resolved by data format transformations. Se-
mantic dissonance means that different applications have similar concepts with subtly
different meanings.
For instance, a “CS major” may mean:
– a student whose present major is CS (Computer Science),
– the above or a former student whose major at the time of graduation was CS,
– a student whose major at the time of initial registration was CS,
– one of the above with the proviso that their studies are financially supported by
the government (no second degrees, no non-EU students),
– one of the above with the proviso that they have no outstanding financial obliga-
tions,
– one of the above with the proviso that they have not been advised to abandon the
field,
All of the above mentioned semantics are actually used in different management ap-
plications within the Utrecht University!
Both problems of the File transfer pattern are solved with a central, agreed-upon data
store that all of the applications share. Inconsistencies, however, remain a problem.
They can be solved by assigning to one application the ownership and responsibility
for a certain piece of data, but then the system will have to remember and enforce this.
������ ����
Advantages
The Shared database pattern guarantees consistency of data. Moreover, in this pat-
tern the simultaneous updates can be prevented by transaction management systems.
Transformation of data is unnecessary. Practically all application development plat-
forms can work with SQL. Semantic dissonance is avoided. Meaning of data is dealt
with beforehand in database design.
94
MODULE 6. PATTERNS FOR ENTERPRISE APPLICATION INTEGRATION
Disadvantages
It is difficult to come up with a database design that can meet the needs of multiple
applications. Often this results in a schema that individual application programmers
find difficult to work with. This creates political pressure from departments to separate
their data.
A harder problem is external packages. Most packaged application won’t work with a
schema other than their own. Also, software vendors tend to change the schema with
every new release.
The database can become a performance bottleneck. A performance bottleneck occurs
when many applications need to operate on the database and block each other out.
It might even lead to a deadlock. Accessing a single-location database might be too
slow, and a distributed database is more prone to ownership confusion and blocking
conflicts.
How to integrate multiple applications so that they work together and can exchange
information? The applications are built independently, using different languages and
platforms. The applications need more than just sharing data, as in the File transfer
and Shared database patterns.
The Remote procedure invocation pattern enables the applications to share functionality,
not just data. In the Remote procedure invocation (RPI) pattern, each application is
a separate component with encapsulated data, which provides an interface to allow
other applications to interact with the running application. Figure 6.4 shows a UML
deployment diagram where two components have a remote procedure invocation.
A number of technologies, such as Unix RPC (remote procedure call), JSON-RPC,
CORBA or Java RMI (remote method invocation) implement the Remote procedure
invocation pattern. Standards such as SOAP also allow RPI-style Web services.
����
����
���������
����������
���������
RPI is more than just sharing data. The Shared database pattern provides an unencap-
sulated data structure. In order to apply object-oriented techniques like information
hiding, we want to hide the raw data behind access methods, but this behavior needs
to be copied at every location. If we want to centralize the functionality of the Data
mapper pattern, we need a way to call its methods remotely.
Advantages
RPI makes it easier to deal with semantic dissonance: a component may provide sepa-
rate interfaces for different kinds of clients. Also, it is easy to program, because remote
procedure or method invocation mimics local procedure or method calls.
Disadvantages
The fact that the Remote procedure invocation pattern mimics local procedure invoca-
tion is a disadvantage at the same time: it hides the big differences between those two
with respect to reliability and performance.
Also, the Remote procedure invocation pattern involves tight coupling. This is due to
synchronization, because one component waits while the other completes the proce-
dure invocation, and due to interface dependency, which makes it difficult to change
and develop independently.
The remote calls tend to tie the different system into a growing knot. In particular, se-
quencing - doing certain things in a particular order can make it difficult to change sys-
tems independently. People often design the integration the way they would design a
single application, unaware that the rules of the engagement change dramatically [24].
�����������
Let an enterprise have multiple applications that are built independently, in different
languages and platforms. The enterprise needs information to be shared rapidly and
consistently. In OO, method calls are sometimes loosely called messages. That is not
what we mean here. We mean real messages, like e-mails. The big difference is that
with a method call, you wait for the answer before proceeding. With a real message,
you send it and move on. It is like the difference between a phone conversation and
voicemail.
In this case the asynchronous messaging is fundamentally a pragmatic solution of the
integration problem. The asynchronous paradigm send and forget does not require to
both systems to be up and ready at the same time. One application’s failure does not
bring down all of the other applications.
Advantages
96
MODULE 6. PATTERNS FOR ENTERPRISE APPLICATION INTEGRATION
– Messaging does not require both systems to be up and ready at the same time.
– This pattern forces developers to develop components with high cohesion. Since
remote messages are costly, the developers will try to minimize messages and
concentrate strongly related jobs in one component. In the context of messaging
high cohesion means that lots of work is done locally, and only selective work is
done remotely. Remote calls do not masquerade as local calls.
– Messages can be transformed in transit without sender or receiver having to pay
attention to this.
– Messages can be broadcast to many receivers.
– Application development can proceed separately from integration decisions.
Moreover, the Messaging pattern allows applications to collaborate behaviorally, i.e.
allows process to be launched at once if a certain event takes place. Remote procedure
invocation also allows applications to collaborate behaviorally, but blocks the whole
system while this is going on.
Messaging allows much of the decoupling, like the File transfer pattern, but with rapid
updating, automatic retry until success, and automatic notification. Messaging is not
prone to failure and deadlock.
Disadvantages
Messaging reduces but not entirely eliminates the time lag problems. These problems
are not so serious as in the File transfer pattern, but still exist. The asynchronous solu-
tion means that systems are not being updated at quite the same time (e.g. the “Mid-
night problem”: time checked at 23 : 59, date checked at 00 : 01).
Messaging itself does not provide a solution to the semantic dissonance problem, how-
ever the problem can be solved by sending messages to a data mapper.
• Transformation. Various applications may not agree on the format for the same
conceptual data. To reconcile this, the message must go through a filter, a message
translator which converts the message from one format to another.
A channel is a logical address in the messaging system. Logical addresses are character-
ized by an alphanumeric name, often within a hierarchical organization. One physical
channel can contain many logical channels as long as it knows how to keep them sep-
arate. Applications use different message channels for different types of information.
Messaging systems do not come preconfigured with message channels. They must be
configured by the system administrator to set up the channels that the applications
expect. Consider, for example, a message channel in the Java Messaging System (JMS).
The Sun J2EE SDK ships with a reference implementation of the J2EE services including
JMS. The j2eeadmin tool can configure message channels:
Once the channel has been created, it can be accessed from JMS client Java code:
How can the server broadcast an event to all interested receivers? The Publish-subscribe
channel pattern expands upon the Observer pattern by adding the notion of an event
channel for communicating event notifications.
An event can be packaged as a message. The event channel is a message channel.
Each subscriber has to be notified of a particular event once and should not be notified
repeatedly of the same event. The event cannot be considered consumed until all the
subscribers have been notified, but once they have, the event should disappear from
the channel. Concurrent subscribers should not compete but should be able to share
the event message.
The Publish-subscribe channel pattern has one input channel that splits into multiple
output channels. When an event is published into a channel, a copy of the message is
delivered to each of the output channels. Each output channel has only one subscriber.
This way each subscriber gets the message only once and consumed copies disappear
from their channels.
The Publish-subscribe channel can be useful debugging tool. Monitoring al traffic on a
channel without disturbing the existing message flow is helpful for debugging.
Subscriptions need to be restricted by security policies if we do not want to allow any-
one to write a simple program to listen to the message traffic. See also the Event bus
pattern (module on Architectural patterns).
98
MODULE 6. PATTERNS FOR ENTERPRISE APPLICATION INTEGRATION
Message subpattern
Data to be transmitted have their structure: records, objects, database rows, etc. The
structured data are sent as a stream of bytes. The first process must marshal the data
into byte form, the second process must unmarshal the data back into its original form.
A message consists of a header and a body. A message header contains information used
by the messaging system. A header describes such data as data origin, destination,
type etc. A message body contains bytes being transferred. A message body is ignored
by the messaging system.
A message endpoint is a set of code specific to both the messaging API and the applica-
tion, that shields the application from the messaging system. The Message endpoint
pattern encapsulates the messaging system from the rest of the application and cus-
tomizes the general messaging API for a specific application.
A message endpoint can be used to send messages or receive them, but one individual
message endpoint object does not do both. An endpoint is channel specific, so a sin-
gle application would use multiple endpoints to interface with multiple channels. An
application might even use multiple endpoints at a single channel, usually to support
multiple concurrent threads.
A message endpoint is designed as a specialized messaging gateway (see module on
Enterprise Application Architecture).
In JMS the two main endpoint types are MessageProducer, for sending messages,
and MessageConsumer, for receiving messages. A message endpoint uses an instance
of one of these types to either send messages to or receive messages from a particular
channel.
�������
���������
�������
���������
�������
�������
How does a message endpoint know when a new message is available? How can an
application consume a message when the application is ready?
A simple solution is to repeatedly check the channel to see if a message is available.
When a message is available, it consumes the message and then goes back to checking
for the next one (Figure 6.6). This process is called polling. The advantage of this ap-
proach is that the consumer can request the next message when it is ready for another
message. So it consumes messages at the rate it wants to rather than at the rate they
arrive in the channel.
100
MODULE 6. PATTERNS FOR ENTERPRISE APPLICATION INTEGRATION
If the channel is empty, a polling consumer will spend processor time looking for mes-
sages that are not there. The alternative to this solution is to let the channel tell the
client when a message is available. It is also known as an asynchronous receiver, because
the receiver does not have a running thread until a callback thread delivers a message.
An event triggers the receiver into action.
An event-driven consumer is an object that is invoked by the messaging system when a
message arrives on the consumer’s channel (Figure 6.7). The messaging system also
invokes an application specific callback. An Event-Driven Consumer has an applica-
tion specific implementation that confirms to a known API defined by the messaging
system.
���������
���������
��������
�������
The HornetQ system (Figure 6.8) from JBoss supports many subpatterns from the Mes-
saging pattern: it supports both publish-subscribe as point-to-point messaging, both
blocking and non-blocking sends, scheduled messages, message priorities, and both
persistent and non-persistent messages. It provides guaranteed delivery, i.e. ensures
that messages arrive once and only once where required, and supports ACID ((atomic-
ity, consistency, isolation, durability) semantics, and has a customizable security frame-
work based on JAAS. Messages can be ordered, which means that they will be deliv-
ered in exactly the same order as they have been placed in the queue. Clients and
servers can be configured to communicate using unencrypted TCP sockets, encrypted
TCP sockets using the Secure Sockets Layer (SSL), over HTTP requests and responses
also behind a firewall), or within the same Java virtual machine.
The system provides a management API that can be accessed using JMX.
6.4 Conclusion
102
MODULE 6. PATTERNS FOR ENTERPRISE APPLICATION INTEGRATION
DISCUSSION QUESTIONS
105
Module 7
Component software
INTRODUCTION
The traditional way of developing software is to develop entirely from scratch, using
only the programming tools and libraries. The software developed this way is called
custom-made software. On the one hand, custom-made software has a lot of advan-
tages. It is optimally adapted to the user’s business model, it uses optimal solutions in
the local areas of expertise and takes advantage of domain knowledge. On the other
hand, custom-made software is very expensive. Custom-made software will have sub-
optimal solutions in all but the local areas of expertise, and chasing state-of-the-art so-
lutions is a burden. It involves a risk of failure and of late delivery, and interoperability
with business partners or customers is not guaranteed.
The opposite of custom-made software is standard software, produced for a mass mar-
ket. Standard software can be parameterized to provide a solution that is close enough
to the business needs, and as such covers the time-to-market risk. On the other hand,
standard software may necessitate business process reorganization, does not provide a
competitive edge, and cannot be quickly adapted. For example, some ERP (enterprise
resource planning) software fixates the hierarchic relations between departments and
therefore puts an end to the autonomy of departments.
Component software represents a solution in between. Component software is easier
to customize than standard software.
LEARNING OBJECTIVES
After having studied this module you should be able to:
– to explain the goal of component software,
– to describe what a component is,
– to describe standards of component connecting,
– to make a comparison between web services and components.
108
MODULE 7. COMPONENT SOFTWARE
DEFINITION 7.1 Software components are binary units of independent production, acquisition and de-
ployment that interact to form a functioning system.
An often used word is COTS, originally meaning: Commercial Off-The-Shelf Software:
software that can be reused by other software products to become part of their product.
COTS is now used to denote both commercially available and open-source software
components [22]. A COTS product has the following characteristics:
– it is not produced here, i.e. within these projects nor exclusively for them;
– it may be closed-source as well as open source, being open source software usu-
ally treated as if it were closed;
– it is not a commodity, i.e. not shipped with the operating system, nor provided
with the development environment, nor generally included in any pre-existing
platform;
– it is integrated into the final delivered system, i.e. it is not a development tool;
– it is not controllable, in terms of provided features and their evolution.
Component assembly allows for individual investment/performance trade off choices,
and components may be combined with custom-made components. The trade-off in
Figure 7.1 can be read as follows: when there are no demands for flexibility, change-
ability, being at the competitive edge and so on, a COTS component is very cheap
compared to in-house development of such a component. However, when the demand
for changes is high, it is cheaper to develop and maintain a component in-house than
to choose a COTS component and look for a replacement each time a change is needed.
may look like a collection of classes from the outside (it only rarely looks like a single
class); it may be programmed in a non-object-oriented language.
Examples of components are:
– Every application running on an operating system is a coarse-grained compo-
nent. Interaction between these components is carried out by common file for-
mats (a .gif file for instance, is readable and editable in a number of applications)
or by pipe/filter composition (in Unix, filter applications like sort or uniq expect
a stream of characters as input and have a stream of characters as output, and can
be composed using pipes, in a shell script or on the command-line).
– In a microkernel architecture OS, some functionality is delegated to application-
level services. These services may be seen as components. Examples of such an
architecture are Symbian or L4.
– In plug-in architectures, plug-ins are components. Examples are the Mozilla
browser or the Eclipse framework. In all cases, it is possible to extend the func-
tionality by adding plug-ins.
– JavaBeans are also an example of components.
7.2.1 Modularity
Components provide late integration: they are integrated after acquisition and deploy-
ment. This also means that integration testing is no longer feasible: the number of
combinations in which a component can be used is infinite, so testing all those combi-
nations in advance is impossible.
What is possible is modular checking: analysis of component properties based only
on the interfaces explicitly required. Also, if possible, one can inspect the code of a
component and check whether all assumptions about its environment are explicitly
stated, and check whether the number of assumptions is as small as possible. This
requires defensive programming: to program without assumptions, or at least with as
small a number of assumptions as possible.
110
MODULE 7. COMPONENT SOFTWARE
7.4 Reuse
Software units can be reused in two ways: blackbox and whitebox reuse.
DEFINITION 7.2 Blackbox reuse is reuse of a software unit knowing only the interface and its specifica-
tion.
DEFINITION 7.3 Whitebox reuse is reuse of a software unit knowing its source code.
An example of black-box reuse is using an API (application programming interface).
An example of white box reuse is using class libraries or frameworks. Reuse of compo-
nents is blackbox reuse: open software components for instance may be used without
knowledge of the source code, even though the code is available.
DEFINITION 7.4 A component in UML stands for a replaceable part of a system that conforms to and
provides the realization of a set of interfaces.
Interfaces
notation for replaceable units, especially if these do not map directly to a single class in
the implementation.
UML 2.0 components are modeled as simple rectangles. UML 2.0 uses the compo-
nent presentation of UML 1.x as a visual stereotype within the rectangle to indicate
that the rectangle represents a component (but a textual stereotype is also acceptable).
A component diagram models dependencies, either between components or between
components and interfaces. The lollipop symbol indicates a provided (implemented)
interface and the socket symbol indicates a required interface.
Ports
In an encapsulated component, all of the interactions into and out of the component pass
through ports. A port can be seen as an explicit window into the component. A port
has a uniquely identifying name. The externally visible behavior of the component is
the sum of its ports.
Ports permit the interfaces of a component to be divided into discrete packages that
can be used independently. The internal parts of a component may interact through a
specific external port, so that each part can be independent of the requirements of the
other part.
Figure 7.3 shows that the provided interface Load Attractions and the required interface
Booking are combined together into the port attractions.
112
MODULE 7. COMPONENT SOFTWARE
Connectors
Figure 7.5 shows an example of an artifact diagram, in UML 2.0. An artifact path.dll
and component Path have an association manifest. An artifact is usually depicted as a
document or a box with one of the stereotypes Executable, Library, File or Document.
����������
�����
������
��������
�������
A UML 2.0 deployment diagram (Figure 7.6) depicts a static view on the run-time config-
uration of processing nodes and the components that run on those nodes. A node is a
physical object that exists during runtime and represents a computational unit (e.g. a
computer, a printer or a router). A node is represented as a 3D rectangle. A connection
is a physical connection between nodes (e.g. an Ethernet connection).
The nodes of deployment diagrams depict physical objects, as do artifacts, but artifacts
are things that participate in the execution of a system; nodes are things that execute
artifacts. Artifacts represent the physical packaging of other logical elements; nodes
represent the physical deployment of artifacts. The relationship between a node and
the artifacts it deploys can be shown explicitly by nesting (but most of the time we rely
on text-based information).
114
MODULE 7. COMPONENT SOFTWARE
7.6.1 Components
DEFINITION 7.5 A software component is a unit of composition with contractually specified interfaces
and explicit context dependencies only. A software component can be deployed in-
dependently and is subject to composition by third parties [54].
Components should specify their needs, called context dependencies, referring to the con-
text of composition and deployment. In the real world, the producers of components
emphasize their provided interfaces (as opposed to their required interfaces). Several
component worlds exist, that partially conflict, such as CORBA, Universal Network
Objects from OpenOffice, D-Bus (Gnome), or J2EE. These “worlds” consist of conven-
tions about how distributed components may communicate.
DEFINITION 7.6 A component interface is the set of named operations provided by this component for
invocation by clients.
Every operation in the interface must be specified. The specification provides the com-
munication between the implementor and the clients. A specification consists at least
of the name, signature and return type. But see also below: contracts about behavior
must be added for safety.
Versions
With direct interfaces, version numbers may be checked at bind time. With indirect in-
terfaces, version checking is not sound, because object references may cross component
boundaries, so it is not possible to check the version of an implementation at bind-time.
For example, suppose a class C, with two incompatible versions C1 and C2 . Compo-
nent A needs C1 , while component B needs C2 . It is possible that A sends an object
to B, with type C. When the object was created, A has checked its version, which was
C1 , so A believes everything is in order. Component B now only sees the static type of
the object, which is C. Unfortunately, B is no longer able to check the object’s version,
because it cannot determine the dynamic type.
Interfaces as contracts
116
MODULE 7. COMPONENT SOFTWARE
Module safety
Unfortunately, type safety and elimination of memory errors are not enough: with
these in place, it is still possible for a program to call arbitrary services present in or
loadable into the system. A downloaded component might, without any further safety
measures, take control of the computer, or make use of communication ports.
Module safety means that a component has to specify explicitly which services (from
the system or other components) it needs to access. It works in the same way as access
control in file systems, but on a module or class basis. In Java, for example, the import
statement guarantees that the class only retrieves references to other objects which it
has imported through the import statement. Accessing objects of classes that are not
mentioned in an import statement is impossible.
types of parameters and of possible return values. To ensure that communication across
machine boundaries works, an IDL fixes the range and binary coding conventions of
basic types. An IDL may for instance marshal integers to big-endian 32-bit two’s com-
plement encoded integers1 . An IDL also generates universally unique identifiers.
Examples of IDLs are the DCE IDL (Distributed Computing Environment, a standard
of the Open Software Foundation), the OMG IDL (Object Management Group, inter-
national standards organization, founders of CORBA) and the IDL for the Universal
Network Objects for OpenOffice.
7.8.1 Scala
Scala is a research project [36] with the goal to integrate full support for components
into a programming language. It is interoperable with Java without glue code. Scala
offers uniform abstraction concepts for both types and values, it unifies functional and
object-oriented programming, and it has built-in support for pattern matching and
XML.
Scala is designed to be scalable: the same concepts describe small as well as large parts.
Everything is an object: operations, functions, values, components. To be reusable, a
component should publish both its provided and its required interfaces. The latter has
so far been missing in programming languages.
In Scala, components are classes and traits. A trait is like an interface in Java, with
the possibility to have partially implemented methods: a trait is an abstract class with-
out data members. All objects, including functions, are first-class values, which means
that they can be passed around as a parameter, for instance. Scala supports recursive
references, which means that for instance a function can use itself inside its implemen-
tation, and supports inheritance with overriding. Component composition is done by
mixin-based class composition, which means that a class may inherit from one class.
Components may use partial implementations of traits, similar to the use of interfaces
in Java, with the difference that a class may also use implementations of a trait. No
explicit “wiring” is needed. Provided services are modeled as concrete members, re-
quired services are modeled as deferred (abstract) members.
7.8.2 XML
XML (extensible markup language) was introduced in 1998 [9]. Originally, XML was
designed for large-scale electronic publishing, but today, it plays an increasingly im-
portant role in the exchange of a wide variety of data on the web and elsewhere.
XML is useful for representing any structured and semistructured data. Where rela-
tional databases prefer tabular data, XML prefers tree-shaped data. It is more flexible
than relational databases.
XML is a text-based, generic approach to describing data for any purpose. Names are
tagged unambiguously by namespaces. In Figure 7.7, there is a namespace denoted by
n, with value http://myorganisation.com/customer.
XML is now commonly used for messages, documents, and configuration data. Most
browsers directly support displaying XML documents. XML has become the “lingua
franca” among applications of independent origin. It allows for independent extension
1 Two’s-complement is a system in which negative numbers are represented by the two’s complement of
the absolute value. The two’s complement of a 32-bit binary number is the value obtained by subtracting the
number from the 32 power of two
118
MODULE 7. COMPONENT SOFTWARE
that does not interfere with documents that were created before such extensions were
introduced.
The success of XML as a standard format for durable data representation is partly be-
cause of its properties, and partly because of proper timing: standardization was felt
to be needed. XML is rooted in the older SGML (Standard Generalized Markup Lan-
guage, 1986) but stands out because of its full support for extensibility.
XML elements are opened and closed by tags, in the same way as is done in HTML. An
XML element may contain nested elements or unstructured text. The order of elements
is relevant. XML attributes appear within opening tags, again, in the same way that
HTML elements may have attributes. Attributes are recognized by their names, and
order is irrelevant
<?xml version = "1.0" ?>
<xsd:schema xmlns:xsd = "http://www.w3.org/2001/XMLSchema">
<xmlns:n = "http://myorganization.com/customer">
<xsd:element name = "n:Customer" type = "n:CustomerType"/>
<xsd:complexType name = "n:CustomerType">
<xsd:sequence>
<xsd:element name = "n:CustomerID" type = "xsd:string"/>
<xsd:element name = "n:NameAdd" type = "n:NameAddType"/>
<xsd:element name = "n:Remarks" minOccurs = "0"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name = "n:NameAddType">
<xsd:sequence>
<xsd:element name = "n:Name" type = "xsd:string"/>
<xsd:element name = "n:Address" type = "xsd:string"/>
</xsd:sequence>
</xsd:complexType>
</xsd:schema>
Rules constrain well-formed XML documents. These rules were originally expressed
in DTDs (Document Type Descriptors). DTDs are syntactically cryptic, and are not ex-
tensible. To overcome these disadvantages of DTDs, XML Schema has been introduced
in 2001. XML Schema [17] is itself extensible, and schema’s expressed in XML Schema
are also extensible. An XML Schema is much richer and more expressive than a DTD.
The Simple Object Access Protocol (SOAP) is an XML-based standard for invocations
to remote objects, and was introduced in 2000. SOAP uses HTTP. It offers means to
describe the addressee of an invocation and to encode programming data types.
SOAP does not guarantee that URL’s yield the same object every time. This feature
was intended to eliminate fragile state dependence: the situation that the caller as-
sumes that the state of the object it calls remains the same between two subsequent
calls. Such assumptions are only appropriate for synchronous communication between
tightly coupled processes, and not for asynchronous communication over the internet.
The latency is about 10 times the latency of traditional RPC, due to the encoding in
XML which is less compact than in traditional RPC. However, this increase in latency
is negligible on wide-area or internet connections.
<SOAP-ENV:Envelope>
<SOAP-ENV:Body>
<xmlns:n = "http://myorganization.com/customer"/>
<n:getNameAdd>
<n:CustomerID s = "313"/>
</n:getNameAdd>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
<SOAP-ENV:Envelope>
<SOAP-ENV: Body>
<xmlns:n = "http://myorganization.com/customer"/>
<n:getNameAddResponse>
<n:Name s = "Donald Duck">
<n:Address = "Cornelis Prulplantsoen 1">
</n:getNameAddResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
120
MODULE 7. COMPONENT SOFTWARE
call or response information. Figure 7.9 shows an example of a SOAP message and the
corresponding SOAP response.
Web services offer computational services to other systems. Those other systems may
be software, or websites targeting people. The computational services that are offered
include databases.
A web service combines a deployed component and a service provider. The pricing
structure may be very flexible. Web services are more self-contained than typical com-
ponents or applications: they can not make any assumptions about the environment in
which they will be used.
The Web Service Description Language (WSDL) from 2001 is used to describe a web ser-
vice, much like an Interface Definition Language. It is built on XML. Figure 7.10 shows
an example of a WSDL document that describes a service that accepts requests for stock
quotes.
The Universal Description, Discovery and Integration service (UDDI) from 2001 is a direc-
tory service to discover web-services. It is itself a web service, approachable through
SOAP. An inquiry to find a business registered under a certain name is shown in Fig-
ure 7.11. It does not directly use WSDL, but a mapping between the data models exists.
DISCUSSION QUESTIONS
1. The goal of the Scala project is to bring component definition and composition
into the programming language, and eliminate the need for ‘glue’ and ‘wiring’.
The goal of web services is to provide a mechanism for description, discovery
and use of components that is totally independent from the implementation tech-
nique. Are these goals as incompatible as they seem? Discuss their respective
merits.
2. Applications themselves can be viewed as components existing within the OS
framework. How do they handle the required interface problem?
3. The relationship between software architecture and software components has not
been addressed explicitly in this module. How would you describe the relation?
122
Module 8
Design by contract
INTRODUCTION
LEARNING OBJECTIVES
After having studied this module you should be able to:
– explain the concepts of pre- and postconditions,
– explain the concepts of external references, self-interference and
callback, the problems concerning contracts, and the way to overcome
these problems,
– explain the different kinds of polymorphism, and their relation to
contract specification,
– explain the problem of the fragile base class,
– describe the methods of contract verification,
– describe the problems with contract changes.
124
MODULE 8. DESIGN BY CONTRACT
8.1 Contracts
pre U,
post V
means: if the specified method is called in a state where U is satisfied, it will terminate
in a final state where V is satisfied. An example of a specification is:
This contract states that if the specified method is called in a state where the buffer is
not full, it will end in a state where the buffer holds the items that were held before the
method was called, plus one more item.
The precondition is concerned with the value of the buffer before the method was called,
and the postcondition with the value of the buffer after the method was called. However,
as you see in this example, it is often easier to specify the postcondition while using the
values that were valid in the precondition: in this case, the postcondition is expressed
using the ‘old’ value of the buffer.
Several formal notations allow the specification of pre- and postconditions, such as
OCL (Object Constraint Language) [34] or Object-Z [51]. OCL is the standard notation
in UML to specify pre- and postconditions.
The example uses the notation that is used in Eiffel [16] (using old for the values as
they are valid in the precondition). In OCL, you do not use old buffer, but you
would use buffer@pre.
DEFINITION 8.1 A frame explicitly lists what may be changed by a method call.
When one does not use a frame, to be precise, one should add v = old v to the
postcondition for every variable v that is not changed by the method call.
DEFINITION 8.2 A class invariant is a constraint that is true for every object of the class at start and
finish of method invocations. A class invariant is expressed as a relationship between
values of the attributes of the class.
An example of a class invariant is
This means that before and after each call to a method of the class, the value of the
attribute tax is equal to the value of the attribute total, multiplied by the value that the
attribute country gives when its method getRate is called.
A class invariant is automatically added to both the pre- and postcondition for ev-
ery operation, even for newly added operations in subclasses. A class invariant should
even be valid at exceptional termination, when the normal postcondition is not reached.
wife = w;
w.marry(this);
...
In the example, the class invariant states that each Man is married to zero or one Woman,
and that no Woman is married to more than one Man (there may be unmarried Women
though): the Woman a Man is married to, should be married to that Man.
It is obvious that the statement wife = w; is sufficient to guarantee the postcondition
of marry, but that statement can not guarantee the class invariant. In this case, to
guarantee the class invariant, it seems necessary and sufficient to add the statement
w.marry(this);. After all, the Man calls a method marry from his wife, with himself as a
parameter, so you would think that the class invariant of Man, which states that he is
the husband of his own wife, seems to be safe.
But the invariant will be broken when the wife marries someone else: then w may be
in a state where w.husb != this. A Man has no complete control over Woman, so Man
cannot guarantee that wife will not exchange him for another Man.
husb = m;
...
The class Wife has a method marry which seems to reestablish Man’s class invariant:
when he marries her, she marries him, so his class invariant wife.husb = this is true. But
can we guarantee that it will be true all the time? Consider the following scenario:
126
MODULE 8. DESIGN BY CONTRACT
Remedy
A remedy for this problem is to only allow external references in class invariants if
these class invariants are immune against operations on other classes. The remedy to
the indirect invariant effect is similar to problems encountered with multithreading. In
the case of threads, one may safely assume that it does not matter whether the state of
a program is interfered with by other programs (or other threads), if the constituents
of the proof of the program are not interfered with by other programs or threads [38].
The Owicky-Gries method says: consider two processes. One process affects x and y:
*[x:= 1]
*[y:= 1]
*[x:= 2]
In that case, you may not write x=1 as a postcondition. However, you may write y=1.
In the Man and Woman example, this means that we have to add a precondition
husb.wife �= this
to the method Woman.marry (which prevents a Woman from marrying when she has
already a husband), and a precondition
w.husb.wife �= w
to the method Man.marry. In the two statements above, first m1.marry(w) is called. The
precondition of the method marry of Man says that the wife of the husband of w should
not be w, which means that she is not already married. First the variable wife of m1 gets
the value of w, and then w.marry(m1) is called.
The precondition of that method says that the wife of the husband of w may not be
w, which is not the case, because she is not yet married. After the execution of both
methods, m1.wife = w and w.husband = m1: our man is married to his wife, and she is
married to him.
Now we try to execute w.marry(m2). The precondition says that the wife of the husband
of w should not be w herself. But, as the husband of w is m1, and the wife of m1 is w,
the precondition is not fulfilled, which means we cannot execute w.marry(m2).
8.2.2 Self-interference
public class DigitList
int m;
int[] a = new int[100];
// inv (all i: 0 <= i <= m: a[i] < 10)
The invariant of the class DigitList says that each filled cell of the array a contains a
value smaller than 10, and that the first m+1 cells have a value. The precondition of the
method add says that x is smaller than 10, and the postcondition says that 1 has been
added to the old value of m and that the array a is the same as before the method was
called, with one extra filled cell with the value of x.
It is obvious that the method add does not violate the class invariant. However, the
method print is called at a moment in which the class invariant temporarily does not
hold: the number of filled cells of the array a is 1 less than the value of m+1 at that
moment.
This is an example of self-interference: a state in which the class invariant temporarily
does not hold is exposed through a method call of the object itself.
interface TextModel
interface TextView
TextModel text;
void setCaret(int pos);
void type(char ch);
void insertNotification(int pos);
...
// implementation:
void type(char c)
int p = caretPos();
setCaret(p+1);
text.write(p, ch);
128
MODULE 8. DESIGN BY CONTRACT
Consider TextModel and TextView as part of a MVC library for text manipulation. An
object of type TextView may register itself with an object of type TextModel. The method
text.write(p, ch) in the TextModel will try to keep the position of the caret up to date.
Therefore, it will move the caret one position to the right when a character has been
inserted in the text left of the caret. In other words, the method write of the TextModel
class will have a statement like
However, when a character is typed in the TextView object, the caret is moved one
position, resulting in a position after the added character. Therefore, because it detects
that the actual position of the caret is behind the place where character is written, the
TextModel object will move the caret again. The two last statements in the method
type therefore should be exchanged: in that case, the caret will only be moved forward
by the TextView object, because the Model will see that the caret is situated before the
added character (and therefore will not move the caret). This is another example of self
interference.
Callbacks
8.3 Polymorphism
The concept of polymorphism is used in two ways:
DEFINITION 8.3 Polymorphism is the ability of different things to appear the same in a certain context.
In other words, B can be used where A is expected when the precondition of A.f implies
the precondition of B.f and when the postcondition of B.f implies the postcondition of
A.f.
This is easy to understand: before the operation is called, the precondition must be
true. If the precondition of A.f is true, and this precondition implies the precondition
of B.f, than it is obvious that B.f may be used wherever A.f is expected.
After the execution of the operation, the postcondition of A.f must be true. If the post-
condition of B.f implies the postcondition of A.f, it is obvious that B.f may be used: A.f
will be true after the execution of B.f.
interface TextModel
...
void write(int pos, char ch);
// frame len, txt
// pre len < max and 0 ≤ pos ≤ len
// post len = old len + 1 and Ě
...
In TextModel, the precondition that len is smaller than max and that pos is smaller than
or equal to len implies that pos is smaller than max. In other words, with respect to
the precondition, MyTextModel may be used were TextModel is expected. Note that
substitutability does not say anything about implementation; it only states things about
the contract of the interface.
130
MODULE 8. DESIGN BY CONTRACT
Ideally, contracts would be explicit and formal. Ideally, it would be possible to have a
tool check an implementation and client requests against the contract. However, it is
difficult and expensive to write explicit and formal contracts, and an efficient general-
purpose verifier is not feasible. What is possible is a tool to support theorem proving,
whereby the user proposes logical deduction from a logical statement, and the tool
verifies the deduction. However, using such a tool is expensive, as it requires man-
ual assistance. Therefore, developers have to try to avoid errors without the help of
contract verification. Some errors can be avoided by a language or by a compiler.
Memory errors
A memory error occurs when a program reads a memory cell based on a wrong assump-
tion of what the cell contains. An example is a cell that holds a character, and is read
as though it holds a short. Memory errors can affect unrelated parts of programs, are
notoriously hard to track down, and can be arbitrarily destructive.
A type system can prevent memory errors automatically. A type groups all values of
related semantics. A type is characterized by an interface: a set of operations with sig-
natures.
Covariant
The factory method pattern is an example of using the covariant: suppose we have a
class CarFactory with a factory method that creates objects of type Car, then objects of a
subtype of CarFactory may create objects of a subtype of Car (for instance a TruckFactory
that creates a Truck).
Contravariant
Now suppose that a CarFactory needs an object of class Euro as an input parameter
for its method createCar, and TruckFactory needs an object of class Money as an input
parameter for the method createCar. When Euro is a subtype of Money, TruckFactory is
a subtype of CarFactory. When CarFactory would need Money and TruckFactory would
need Euro, we could have a Buyer who uses an object of Roebel to pay for a Truck, be-
cause Buyer only knows he is buying from a factory of type CarFactory.
Contract changes
Here, the operator + that works with two integers is overloaded with summation of
two complex numbers (and is overloaded on other numeric types as well).
Parametric polymorphism
Parametric polymorphism is: letting the same implementation serve several types. An
example is formed by templates in C++ . Templates in C++ lead to code explosion:
the preprocessor generates explicit source code for every instantiation. Also, templates
themselves cannot be statically type checked.
Another example is formed by Java generics (introduced in J2SE 5.0, 2005). In the case
of Java generics, there is no code duplication at any level, and there is full static type-
checking.
Bounded polymorphism combines parametric and subtype polymorphism. An example
is formed by bounded wildcards in Java:
Here, any List may be used that holds elements that are a subtype of Person.
8.4 Inheritance
The concept of inheritance has three facets, that are often not clearly distinguished:
1. Subclassing (implementation inheritance)
2. Subtyping (interface inheritance)
3. Substitutability (with respect to arguments of methods)
132
MODULE 8. DESIGN BY CONTRACT
Diamond inheritance
B1 B2
b = (n > 0)
c = (2 | n)
Then operations on B1 are only specified in their effects on the sign of n, and what their
effect is in terms of the abstraction of B2 cannot be deduced without looking at their
implementation in terms of n. Hence encapsulation is broken.
So, the question in this case is: do B1 and B2 each get their own copy of the state of A?
– If no, this breaks encapsulation, like in the example above.
empty = (fuel = 0)
Suppose Truck and FamilyCar each have their own copy (fuel1 and fuel2) of attribute fuel
defined in Car. Then the getFuel() method defined in Car will return fuel1 if called on
a Truck object, and fuel2 if called on a FamilyCar object. But a Van object has both, and
it is not clear whether fuel1 or fuel2 should be returned, and class variants for Van may
get inconsistent.
When Truck and FamilyCar do not have their own copy of attribute fuel, and FamilyCar
has a method beOnTimeAtAirport, with postcondition
fuel >= 0
we have to check the implementation of that method to see what influence it has on the
class invariant for empty.
Mixins
Mixins are a particular style of multiple inheritance. A class inherits an interface from
one superclass, and an implementation from several classes, called mixins. Mixins are
used to build e.g. GUI’s. Every mixin concentrates on a single aspect, e.g. window
borders. Independence is necessary but not enforced.
Traits
Traits (introduced in the Scala programming language) combine advatages of noth in-
terfaces and mixins. A class may use several traits, and, like Java interfaces, traits ex-
tend the interface of the class using them. Traits differ from interfaces in that methods
declared in a trait may be both without and with an implementation. Diamond inher-
itance is prevented by making the order in which traits are used important. Method
implementations of last trait mentioned override method implementations of traits ear-
lier mentioned.
In this example, method implementations of trait Worker will be used, in case there are
method implementations for a method with the same name in trait Student and traid
Worker.
134
MODULE 8. DESIGN BY CONTRACT
8.5 Delegation
8.6.1 Eiffel
Eiffel is an interesting language with respect to contracts: it is an object-oriented pro-
gramming language with full support for preconditions, postconditions and class in-
variants.
class STACK[T]
feature
count: INTEGER
capacity: INTEGER
top: T is
require not empty
do ... end
empty: BOOLEAN is ...
push(elem: T) is
invariant
0 <= count
count <= capacity
capacity = rep.capacity
empty = (count = 0)
(count > 0) implies (rep.item(count) = top)
This Eiffel code shows a class and a class invariant. A feature is a combination of
attributes and methods; a class may have several features. The statement feature
NONE means that this feature is invisible for all other objects. A precondition is written
using the keyword require, and a postcondition with the keyword ensure. In this
example, the precondition of the method push is that the stack is not full, and the
postcondition is that the stack is not empty, that the new element is placed on top, and
that the number of elements has grown with one. The class invariant in the example
states that the number of elements may be zero, and may reach the value of capacity.
It also states that the method empty returns TRUE is the number of elements is zero. It
also states that, when the stack is not empty, the method top returns the top element
of the stack.
The explanation of the meaning of the statements in the class invariant shows some
problems with assertions in Eiffel:
• Class invariants are also used to characterize the result of functional methods.
This is the only way to state such postconditions, because the keyword ensure
may only be used to specify state changes. This means that method specification
gets mixed with the characterization of legal object states. This is a consequence
of the Eiffel philosophy not to distinguish between functional methods and read-
only public fields.
• Every assertion must be a boolean expression. This means that it is hard or im-
possible to specify the postcondition of certain methods, for instance, of a method
that returns the sum of the values of the elements.
136
MODULE 8. DESIGN BY CONTRACT
javadoc comments serve as a guidance for implementors and client programmers, as-
sert statements for runtime checking.
An alternative (for guidance and as a basis for correctness proof) is:
– Describe the properties of objects in terms of the problem domain being modeled.
In the example: a stack represents a finite sequence in T∗ .
– Specify operations in terms of the model only. This means: do not use any at-
tributes. As a result, it is also possible to specify operations of an interface, and
the specifications remain valid when you change the representation. In the exam-
ple:
push(elem) ensures stack = [elem] ++ old stack
– Specify the implementation in terms of a class invariant. In the example this
would be:
∀i : 0 ≤ i ≤ capacity : stack{i} = rep.item[i]
DISCUSSION QUESTIONS
INTRODUCTION
Service orientation is a particular strategy for separating concerns and dividing a sys-
tem into components. Its fundamental characteristic is that every component provides
a distinct service that can be used by multiple consumers. Service logic can encompass
the logic provided by other services: the point of such a service is that it composes a
number of other services into a collective.
The paradigm of service orientation is based on the interaction of businesses in an ideal
market: a business should then be able to use services offered by others, and offer ser-
vices to others. Likewise, service orientation can be used within an organization. An
example might be a bank. Imagine that several areas of banking applications will deal
with the current balance of an existing customer. More than often, the “get current bal-
ance” functionality is repeated in various applications within a banking environment.
This gives rise to a redundant programming scenario. The focus should be toward
finding this sort of common, reusable functionality and implement it as a service, so
that all banking applications can reuse the service as and when necessary.
With minimal interdependencies, the number of services may grow autonomously,
within and between organizations. Adherence to standardized interaction conventions
make minimal interdependency possible.
In this module, we will discuss the key aspects of services, show you the various stan-
dards that are used for service oriented architectures, discuss the concepts of orches-
tration and choreography, and give an example of a platform for service oriented ar-
chitecture.
LEARNING OBJECTIVES
After having studied this module you should be able to:
– explain the meaning of the concepts of service-oriented architecture,
coordination, orchestration and choreography,
– mention the key aspects of service-oriented architecture,
– describe the purpose of the existing standards concerning
service-oriented architecture.
138
MODULE 9. SERVICE ORIENTED ARCHITECTURES
9.1.1 Communication
A service can only be used if potential clients are aware of its existence, and have infor-
mation about how to use it. This is achieved through service description.
DEFINITION 9.1 A service description contains at least the name of the service, the location of the service,
and the data exchange requirements.
Communication between services is done through messages, asynchronously: services
communicate over the internet, and the loss of a connection or of a communicating
partner should not block the system that offers the service. Messages should be au-
tonomous, which means that they must be outfitted with enough information to self-
govern their part of the processing logic.
DEFINITION 9.2 Service-oriented architecture (SOA) means: an architecture entirely composed of ser-
vices.
This paradigm does not care about implementations, and can be realized with any
suitable technology platform. Web services, as they have developed over the last few
years, are a very successful technology platform for the support of a service-oriented
architecture. Web services include technology standards such as SOAP, WSDL, XML
and XML Schema.
But keep in mind that using web services does not automatically make an architecture
service-oriented. What makes an architecture service-oriented is that it may be viewed
as a configuration of components, with each component offering functionality by pro-
viding a service.
Quality of service
Open standards
140
MODULE 9. SERVICE ORIENTED ARCHITECTURES
abstracted into separate service layers, which means that it will be easier to intro-
duce new technology.
However, these benefits only manifest themselves in the long run, as the use of service-
oriented principles becomes established.
There are also pitfalls in adopting SOA:
• Another pitfall is not to standardize. This will lead to disparate schemas, repre-
senting similar information.
• A fourth pitfall is not to keep in touch with platform and standard development:
service orientation is an area in development.
• The W3C (World Wide Web Consortium) was founded in 1994, by Tim Berners-
Lee. Some standards of the W3C are HTML, XML, XSD, XSLT and SOAP.
Two of the projects of the OSOA Collaboration are the SCA (Service Component Ar-
chitecture) project, and the SDO (Service Data Objects) project. SCA is a model for
building service-oriented systems (not necessarily based on web services). SDO is a
unified model for data handling (not necessarily from XML data sources).
The central theme in the WS-Coordination standard is that of coordination context infor-
mation.
DEFINITION 9.3 In general terms, coordination is the act of a coordinator disseminating information to
a number of participants for some domain-specific reason.
142
MODULE 9. SERVICE ORIENTED ARCHITECTURES
9.4 Orchestration
DEFINITION 9.4 Orchestration is a centrally controlled collection of workflow logic that takes care of
the interoperability between various processes or legacy environments.
Orchestration can be seen as the ability to control how information flows and services
interact to form solutions. In essence, orchestration is a meta application layer over
and above existing services and data that binds systems and services together. It was
originally developed for middleware for enterprise application integration, but is very
usable for the coordination of services in a service-oriented architecture.
Orchestration is often implemented by a hub-and-spoke model and a central orchestra-
tion engine. With such an approach, workflow is more easily maintained than when
embedded in individual solution components.
In service-oriented architectures, orchestrations themselves exist as services that repre-
sent and express business logic.
9.5 Choreography
Orchestration expresses organization-specific workflow; choreography is not owned by
a single entity and acts as a community interchange pattern for collaborative pur-
poses. WS-CDL (Web Services Choreography Description Language) organizes infor-
mation exchange between multiple organizations in order to make collaboration pos-
sible. None of the organizations controls the collaboration logic.
Choreography is defined in terms of relationships (potential exchanges) and channels
(defining the nature of the messages exchanged). Every relationship consists of ex-
actly two roles. Relationships determine who can talk to whom; channels establish the
nature of the conversation. Channel information can be passed around in a message,
facilitating dynamic discovery of potential collaborators.
WS-BPEL (by OASIS, for orchestration) and WS-CDL (by W3C, for choreography) over-
lap somewhat in functionality.
144
MODULE 9. SERVICE ORIENTED ARCHITECTURES
9.6.2 WS-Security
The WS-Security framework provides extensions that can be used to implement message-
level security measures, to protect message content during transport and during pro-
cessing by service intermediaries.
WS-Security establishes a standardized header block for SOAP messages that expresses
their origin or owner (called a token). The token contains elements like Username en
Password. Binary data, such as certificates, can be represented in an encoded format.
DISCUSSION QUESTIONS
1. It is often claimed that SOA is the next phase in the evolution of business automa-
tion, just as mainframe systems were succeeded by client-server applications, and
these in turn evolved into classical distributed systems. Others claim that SOA is
just a marketing term used to re-brand distributed computing with web services.
Whose side are you on and why?
2. What impact does the introduction of SOA have on an organization’s capabilities?
How would you convince a non-technical manager of its benefits?
3. Can you think of applications where the introduction of SOA would be detrimen-
tal and should be resisted?
146
Bibliography
[2] C. Alexander. The Timeless Way of Building. Oxford University Press, 1979.
[6] L. Bass, P. Clements, and R. Kazman. Software Architecture in Practice (2nd ed.).
Addison Wesley, 2003.
[7] A. Birrel and B. Nelson. Implementing Remote Procedure Calls. Technical Report
CSL-83-7, Xerox, 1983.
[8] I. T. Bowman, R. C. Holt, and N. V. Brewster. Linux as a case study: its extracted
software architecture. In Proceedings of the 21st international conference on Software
engineering, ICSE ’99, pages 555–563, New York, NY, USA, 1999. ACM.
[10] J. Burg. Business modeling and requirements engineering. dictaat VU, 2005.
[11] Carnegie Mellon Software Engineering Institute. Software product lines. http:
//www.sei.cmu.edu/productlines/, 2006.
[15] Eclipse Open Source. SWT, the Standard Widget Toolkit. http://www.
eclipse.org/swt/.
148
BIBLIOGRAPHY
[16] Eiffel Software. Frequently asked questions about the Eiffel language. http:
//www.eiffel.com/developers/faqs/eiffel-language.html.
[17] D. C. Fallside and P. Walmsley. XML Schema Part 0: Primer Second Edition, W3C
Recommendation 28 October 2004. http://www.w3.org/TR/xmlschema-0/,
2004.
[18] R. Fielding and R. Taylor. Principled design of the modern Web architecture. ACM
Transactions on Internet Technology (TOIT), 2(2):115–150, 2002.
[22] C. B. Hissam, Scott A. Weinstock. Open source software: The other commercial
software. In Making Sense of the Bazaar: 1st Workshop on Open Source Software Engi-
neering, 2001.
[24] G. Hohpe and B. Woolf. Enterprise Integration Patterns: Designing, Building, and
Deploying Messaging Solutions. The Addison-Wesley Signature Series. Addison-
Wesley, 2004.
[27] P. Kruchten. Architectural blueprints: the 4+1 view model of architecture. IEEE
Software, 12(6):42–50, 1995.
[29] S. Lilly. How to avoid use-case pitfalls. Software development, 8(1):40–44, January
2000.
[30] L. Maciaszek. Requirements Analysis and System Design. 2nd ed. Addison Wesley,
2005.
150
BIBLIOGRAPHY
�
��������� ������������� ��� ����
����������� ���������� ����� ������
������ ������������ ���� ��������� ���
��������� �������� ����� �� ����� ���
�������������������������������������
��������� ��� �������������� ����
��������� ������������� �� �� �������
��� �� ����������� ������������ ��� ����
����������������������������������